Privacy Policy

PRIVACY AND DATA PROTECTION POLICY "NEO Cyber Camp"

(WEBSITE https://www.neocc.co/)

(PLATFORM https://app.neocc.co)

PREAMBLE

This privacy and data protection policy (the "Policy") was adopted by a decision dated January 14, 2025 by the company Neo Cyber Camp, registered under SIREN number 984722884 with the Paris Trade and Companies Register (RCS), having its registered office and management address at 231 rue Saint Honoré, 75001 PARIS, represented by Mr. Maximilien VOHNOUT, the company owning the website https://www.neocc.co/ and the NEO Cyber Camp platform available from said website (the "Platform"), (hereinafter referred to as the "Company"). The Policy aims to comply with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and the repeal of Directive 95/46/EC (the "Regulation", also known as the RGPD — Règlement Général sur la Protection des Données, or GDPR in English), as well as the obligations to:

• ensure the security of processed personal data, including protection against unlawful processing of personal data, and protection against potential loss, destruction, or damage to personal data;
• provide appropriate technical or organizational measures by the data processor.

In the course of its business, the Company may process the personal data of Users of this website and/or the Platform and/or Clients of the Company. With this Policy, the Company, as the data controller, informs you of what to expect regarding the processing of your personal data when you visit and use the website https://www.neocc.co/ and/or when you use the Platform.

The website https://www.neocc.co/ may contain links to third-party websites or use third-party products and services. This Policy does not apply to such third-party websites or to the products or services offered by third parties, which apply their own privacy policies.

If you have any questions, you may contact the Company as follows:

Neo Cyber Camp, attention of Mr. Maximilien VOHNOUT.

Address: 231 rue Saint-Honoré, 75001 PARIS, France.

Phone: 01 88 84 03 03

Email: max@neocc.co

Information on the competent data protection authority:

CNIL (Commission Nationale de l'Informatique et des Libertés — the French Data Protection Authority) - 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07

Phone: +33 / 01 53 73 22 22

Website: www.cnil.fr

General Provisions

Art. 1. Definitions

For the purposes of this Policy:

1. "personal data" means any information relating to an identified or identifiable natural person (hereinafter referred to as the "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;

1. "processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;

1. "pseudonymization" means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person;

1. "data controller" means the Company;

1. "processor" means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the data controller;

1. "third party" means a natural or legal person, public authority, agency, or body other than the data subject, the data controller, the processor, and the persons who, under the direct authority of the data controller or processor, are authorized to process personal data;

1. "consent" of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them;

1. "personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Purposes of Processing. Business Activity. Processing Principles. Grounds for Processing.

Art. 2.

The main objective of this Policy is to meet the key requirements for the processing of personal data, as required by the Regulation.

This includes in particular the Regulation, the Personal Data Protection Act, as well as other applicable legislative and regulatory instruments adopted in the field of personal data protection.

The Policy will be reviewed and updated, if necessary, in the event of changes to the applicable legislation, as well as in the event of mandatory prescriptions by the competent supervisory body, namely the CNIL (Commission Nationale de l'Informatique et des Libertés).

This Policy aims to facilitate the effective application of legislation on the processing of personal data, taking into account the specificities of the Company's activities, namely: continuing professional education for adults in the field of Cybersecurity, as well as all economic, legal, industrial, commercial, civil, financial, movable, or immovable operations directly or indirectly related to the Company's corporate purpose.

The Company processes personal data in compliance with the following principles:

• lawfulness;
• good faith and transparency;
• limitation of processing purposes;
• relevance to the purposes of processing and minimization of collected data;
• accuracy and currency of data;
• limitation of storage in order to achieve objectives;
• integrity and confidentiality of processing and the need to ensure an appropriate level of security for personal data.

The grounds for collection, processing, and storage of your personal data are, depending on the particular case:

• Provision of additional information regarding the services we offer, at your express request through the form available on our website;
• Fulfilling our obligations as data controller under a contract with you;
• Explicit consent received from you in the course of our business activities;
• Compliance with legal obligations applicable to the data controller;
• For the purposes of our legitimate interest or that of a third party.

Based on each of the above grounds, there are specificities in data processing, as described in detail below.

3. Processing of Personal Data of the Company's Clients and Partners

Art. 3. (1) Purposes of Processing

In carrying out its activities and within the scope of its powers, the Company may process the personal data of natural persons as part of its business, namely: continuing professional education for adults in the field of Cybersecurity, as well as all economic, legal, industrial, commercial, civil, financial, movable, or immovable operations directly or indirectly related to the corporate purpose (hereinafter the "Activity").

To the extent that, in the performance of these contracts, personal data of individuals is processed, information concerning them is processed in a minimum volume, sufficient only for the proper performance of obligations under the respective contract.

Access to this information is granted to third parties only when the conduct of the Activity and/or the law so requires.

The Company collects and processes personal data of its clients in the performance of contractual obligations, as listed in this Policy.

Personal data received from Users is intended for the performance of the Company's obligations in connection with the training order placed, the reservation made by the Client through the enrollment form, or the contract entered into with them. The order or service contract between the Company and the respective Client constitutes the legal basis for the processing of personal data by the Company.

The information that the Company collects, including your personal data, enables:

• Communication with you and adaptation of our services in relation to your request;
• Compilation of statistics to improve products and services based on your usage;
• Sending you newsletters, promotional offers, and solicitations (unless you decline these services).

In any event, the Company only processes "ordinary" personal data of Users/Clients, as follows:

• For website Users who have filled in the contact form: surnames, first names, email address, phone number;
• For Platform clients: surname and first names, date of birth, physical address, email address, phone number, title, date of birth, qualifications, identity card;
• For persons wishing to subscribe to the newsletter: email address.

Regarding assessors, the Company may process the following data: surname, first names, date of birth, email address, physical address, phone number, title, identity card, qualifications. Beyond these "ordinary" data concerning assessors, the Company may be required to process so-called sensitive data of assessors that is necessary for the proper performance of services. The conditions for processing such data will be detailed and specified in the respective contracts entered into with the assessors concerned.

The website https://www.neocc.co/ and the Platform are intended for persons of legal age who are capable of entering into contractual obligations.

Users under the age of 16 or those who are legally incapacitated must obtain the prior consent of their legal guardian before entering their data on the website and by email.

The age of 16 may be lowered to 13 depending on the local regulations of the User's habitual place of residence, pursuant to Article 8 of the RGPD (GDPR).

If your child under the age of 16 has provided personal information, please contact the Company without delay.

(2) Grounds and Duration of Processing

The Company processes and retains personal data for the period necessary to achieve the purposes of processing.

For Client data, this period is set at three (3) years after the completion of the last order or the termination of the respective contract.

Certain data may, however, be retained for a different period in the form of intermediate archiving, in particular to ensure compliance with legal obligations regarding retention.

Email addresses provided by Users in the context of their subscription to the Company's newsletter will be retained and used by the Company until the User unsubscribes, which they may do at any time, or for a period of three (3) years after the User's last contact with the Company.

In accordance with simplified standard number 48 developed by the CNIL, personal data relating to the management of clients and prospects will only be retained for the period strictly necessary for the management of the commercial relationship.

However, data used to establish proof of a right or a contract, or retained pursuant to a legal obligation, may be archived in accordance with applicable legal provisions.

(3) Risk Assessment

Given the nature of the services offered by the Company, the purposes for which personal data is collected, and the measures taken for data protection, the Company assesses the risk as minimal.

4. Cookies and Trackers

The Company uses cookies and trackers to better understand the Client's needs and to improve the quality of its services. These tools are only activated after obtaining your explicit consent via the cookie banner displayed upon your first visit.

Strictly Necessary Cookies

These cookies are essential for the operation of the website and cannot be disabled. They include:

• neo_consent: stores your cookie consent preferences.

Analytics and Audience Measurement Cookies

Subject to your consent, the Company uses the following tools:

• Google Analytics 4 (GA4) — Provider: Google LLC (United States). This tool collects anonymized data about website traffic (pages visited, session duration, traffic source, call-to-action button interactions, scroll depth). Data is processed in accordance with the EU-US Data Privacy Framework. Retention period: 14 months. Privacy policy: https://policies.google.com/privacy

• Microsoft Clarity — Provider: Microsoft Corporation (United States). This tool records heatmaps and anonymized browsing sessions to understand how users interact with the website. No personally identifiable information is collected. Retention period: 13 months. Privacy policy: https://privacy.microsoft.com/privacystatement

Functional Cookies

• Crisp — Provider: Crisp IM SAS (France). This live chat tool allows visitors to contact the Company in real time. Associated cookies store the chat session identifier. Privacy policy: https://crisp.chat/privacy/

Managing Your Preferences

You may express your browsing preferences in two ways, knowing that your choice is not final and may be changed at any time.

• Consent banner on https://www.neocc.co/: upon your first visit, a cookie banner allows you to accept or reject optional cookie categories;
• Directly through your web browser.

You may configure your browser so that cookies are stored on your device or, conversely, so that they are rejected. You may also configure your browser so that acceptance or rejection of cookies is offered to you on a case-by-case basis, before a cookie may be stored on your device.

The Company informs you that if you choose to disable cookies, you may not be able to log in and take full advantage of all the features of the products and services.

If you would like more information about cookies and your rights, you may visit the CNIL website: Cookies et traceurs : que dit la loi ? | CNIL

5. Obligations of the Company Regarding the Processing of Personal Data

Art. 5. (1) Principles Applicable to the Processing of Your Data

The Company is required to process personal data received:

1. Lawfully, in good faith, and in a designated manner, specifying the purposes for which they are collected

The Company's clients and partners are informed of the manner in which their personal data is collected, used, consulted, or processed, as well as the extent to which data processing is or will be carried out, namely: by completing a training order form or by signing a service contract. Data subjects provide their data on the basis of the relevant grounds and in connection with the achievement of the respective purposes. The Company undertakes not to collect personal data that is not necessary for the achievement of the respective purposes. The Company undertakes to process the personal data provided to it by clients in a manner determined by the data subjects.

2. Keeping data up to date while ensuring the timely correction and deletion of inaccurate personal data

The Company undertakes to keep the personal data provided up to date by periodically reviewing stored data.

When it identifies an inaccuracy, the Company immediately takes corrective action by contacting the data subject.

In the event of information submitted by the client regarding outdated data, such data must be deleted immediately upon receipt of the relevant information.

3. Ensuring an appropriate degree of security

The Company guarantees that access to the client's personal file is granted only to them as the data subject and to the employees and/or representatives of the Company responsible for achieving the purposes of data collection. The Company has taken appropriate and sufficient technical and organizational measures to protect the personal data provided.

4. Guaranteeing the rights of data subjects

At all times, the Company grants data subjects the rights guaranteed by legislation, by directly informing data subjects, by publishing information on the Company's website, as well as in the event of any request made by personal data subjects.

5. Data protection contact person

For any questions relating to the protection of your data, you may contact Mr. Maximilien VOHNOUT:

Address: 231 rue Saint-Honoré, 75001 PARIS, France.

Phone: 01 88 84 03 03

Email: support@neocc.co

(2) Limited Transfer of Your Data

Your data is only accessible to the Company, its employees, service providers, and, where applicable, its partners, when they need to know said information in order to fulfill the Company's obligations to its Clients or to carry out its business.

Users' Personal Data will not be transmitted to commercial or advertising entities.

In certain circumstances, the Company may be required to share some of your data. For example, the Company may share some of your data:

• When the Company uses external service providers to perform services requiring access to such data. Only the information strictly necessary for the performance of the services will be communicated to them.
• To comply with legal requirements or an obligation resulting from a decision of a regulatory authority or a court decision;
• With audit and control services (statutory auditors, internal control departments, etc.);
• During debt recovery operations, with organizations, legal auxiliaries, and judicial officers responsible for such recovery.

As of today, the Company's key service providers are as follows:

• Microsoft Office 365 (Outlook, Teams, OneDrive...) - Documents, emails, instant messages, call logs... - Europe
• Scaleway - Website and platform hosting - Europe
• Folk - Commercial information - United States
• Digiforma - Training management system - Europe
• Google Analytics (Google LLC) - Audience measurement and web traffic analysis - United States (Data Privacy Framework)
• Microsoft Clarity (Microsoft Corporation) - Behavioral analytics and heatmaps - United States (Data Privacy Framework)
• Crisp (Crisp IM SAS) - Live chat, support, and ticketing - France
• Tally - Forms - Europe

Users/Clients are informed that, as of today and in accordance with a European Commission decision, the United States ensures an adequate level of personal data protection. The Company undertakes to ensure that when storing, processing, and protecting personal data, its partners endeavor to comply with the requirements and procedures applicable to the Company for the protection of personal data.

6. Measures Taken by the Company to Protect Personal Data

Art. 6.

In order to ensure the availability, authenticity, integrity, and confidentiality of stored or transmitted personal data, as well as the security of associated services, and in particular to prevent data from being distorted, damaged, or accessed by unauthorized third parties, the Company adopts technical and organizational measures adapted to the Company's activities and the personal data processed (physical protection of premises, authentication processes with personal and secure access via confidential usernames and passwords, connection logging, encryption of certain data, antivirus software, etc.).

In this regard, the Company takes all necessary precautions, given the nature of the data and the risks presented by the processing.

The security of your data includes, in particular, the use of secure exchange protocols and storage on secure servers. However, the Company cannot guarantee you complete security of data that you transmit over the internet, given the inherent risks of this type of transmission. The Company therefore encourages you to exercise caution when transmitting such data.

1) Technical Measures

The Company implements technical measures aimed at ensuring the protection of personal data by guaranteeing the ability of the hardware base and the automated network/information system to withstand, with an appropriate level of security, accidental events, illegal or malicious actions that would lead to a breach of availability, authenticity, integrity, and confidentiality of stored or transmitted data, as well as the prevention of unauthorized access to work premises and software used by the Company.

The security of your data includes, in particular, the use of secure exchange protocols (SSL Protocol for the online payment platform, where applicable) and storage on secure servers.

2) Organizational Measures

The Company adopts the following organizational measures:

1. minimization of personal data processing;
2. transparency regarding the functions and processing of personal data.

3) Personnel Protection

Personnel protection is a system of organizational measures applicable to persons who process personal data on the instructions of the data controller.

The Company adopts the following organizational measures:

1. Company employees are admitted to work related to the processing of received data after having been familiarized with the legislation in the field of personal data protection, the Policy, and the guidelines for the protection of personal data and the risks to personal data processed by the Company;
2. providing training and issuing instructions to employees regarding the processing and protection of personal data;
3. signing confidentiality agreements;
4. monitoring the work process;
5. prohibition on using personal email;
6. informing employees about the rights of data subjects.

The Company guarantees that any employee acting under the Company's direction and who has access to personal data may only process the data in accordance with the Company's instructions. Every employee who has access to data undergoes training on data processing and protection.

4) Documentary Protection

Documentary protection is a system of organizational measures in the processing of personal data on paper.

The Company adopts the following documentary protection measures:

1. where applicable, the creation and regular maintenance of registers, which will be kept on paper;
2. determination of the conditions for processing personal data, in accordance with the principles set out in the General Regulation;
3. regulation of access to registers;
4. control of access to registers;
5. determination of storage conditions;
6. rules for reproduction and dissemination;
7. destruction procedures;
8. procedures for inspection and control of processing.

7. Measures in the Event of Data Security Breaches

Art. 7.

The Company undertakes to record any breach, thereby respecting the principle of accountability set out in the Regulation, by describing all details of the breach, including causes, persons affected, and consequences.

In the event that the Company identifies a breach of the security of your personal data that could pose a risk to your rights and freedoms, the Company undertakes to inform you of the breach concerned without undue delay, unless (i) the Company has taken appropriate technical measures ensuring that there is no risk to your rights, or (ii) such notification would require disproportionate effort.

In the event that the personal data security breach is likely to result in a risk to the rights and freedoms of individuals, the Company must inform the supervisory authority.

The assessment of the presence of a high risk is made on a case-by-case basis and after consultation, where appropriate, with the supervisory authority. The notification must contain a description of the nature of the breach, the name and contact details of the data protection officer; a description of the likely consequences of the breach; and a description of the measures taken or proposed by the controller to remedy the breach, including, where appropriate, mitigation measures. The content of the notification of the breach concerned must be agreed upon with the supervisory authority. The risk assessment is made in light of all the circumstances of the case, including but not limited to: the assessment of possible physical, material, and non-material damage; the likelihood of the breach leading to discrimination, identity theft or fraud, financial loss, breach of confidentiality of personal data protected by professional secrecy, unauthorized removal of pseudonymization, or other significant adverse economic or social consequences; or when data subjects may be deprived of their rights and freedoms or of exercising control over their personal data; if the personal data processed reveals health data; when assessing personal aspects, in particular the analysis or prediction of aspects related to professional performance, economic situation, health, personal preferences or interests, reliability or behavior, location or movements, in order to create or use personal profiles; if the personal data belongs to vulnerable persons, in particular children; or when the processing involves a large volume of personal data and affects a large number of data subjects.

The assessment includes:

• categorization of the type of breach: breach of confidentiality; breach of availability; or breach of data integrity;
• assessment of the nature, sensitivity, and volume of personal data;
• possibility of easy identification of the data subject;
• the severity of consequences for individual subjects;
• the specificities of the data subject;
• the number of data subjects affected.

Notification of data subjects regarding a security breach is not carried out if the Company has taken appropriate technical and organizational measures to protect specific data (for example, the data has been encrypted), if subsequent measures have been taken to reduce the high risk to the rights and freedoms of data subjects, or if the notification would lead to disproportionate conditions, in which case a public announcement is made by publishing information about the breach on the Company's website. In all cases, the Company notifies the supervisory authority of its decision whether or not to report the breach. Regardless of the nature of the breach and the degree of risk of infringement of individuals' rights, the Company undertakes to comply with the guidance given by the supervisory authority.

The Company has developed an action plan in the event of a personal data protection breach, which ensures the rapid restoration of the availability of and access to personal data in the event of a physical or technical incident. The incident response plan for personal data breaches determines the employee/team responsible for the response and notification to the CNIL within 72 hours of becoming aware of the breach.

Given the number of employees in the Company (fewer than 250), the supervisory body must be consulted and, if required by it, the Company will undertake to maintain a register of personal data processing activities, which must contain the elements required by Art. 30(1) of the Regulation, namely:

1. Name and contact details of the data controller and the data protection officer;
2. The purposes of processing;
3. Categories of data subjects and types of personal data processed;
4. Categories of data recipients;
5. Data processing timelines;
6. List of technical data protection measures;
7. List of organizational data protection measures.

8. Exercising Your Rights as a Data Subject

Art. 8.

As a data subject whose personal data is processed by the Company, you have the right to exercise your rights under Art. 15-22 of the Regulation with the Company, as follows:

• Right to information: You have the right to be informed in detail of the conditions under which your personal data is processed upon receipt of the data, namely the purposes of processing, the categories of personal data that are processed, the recipients of your data, the retention period, your data, your rights as a data subject, and the existence of a complaint to the supervisory authority. In order to respect this right, this Policy is published on the Company's website, and the Company invites you to consult it in case of any concern.

• Right of access: You have the right to access your personal data processed by the Company. If you wish to exercise your right of access, contact the Company using the contact details below.

• Right to rectification and erasure: You have the right to request that the Company correct inaccurate personal data concerning you, as well as to complete incomplete personal data concerning you. You have the right to request that the Company erase your personal data when: the data is no longer necessary for the purposes for which it was collected, you have withdrawn your consent and there is no other legal basis for the processing of your data, the data has been processed unlawfully, or the data must be erased pursuant to a legal obligation.

• Right to portability: You have the right to request that the Company provide you with personal data concerning you in a structured, commonly used, and machine-readable format. Where technically feasible, the Company may receive, at your explicit request, instructions to transfer your data to another data controller;

• Right to object and right to lodge a complaint: You have the right to object or to lodge a complaint if you believe that your data is not being processed lawfully.

You may exercise your rights by contacting:

Neo Cyber Camp, attention of Mr. Maximilien VOHNOUT.

Address: 231 rue Saint-Honoré, 75001 PARIS, France.

Phone: 01 88 84 03 03

Email: support@neocc.co

Submitted requests will be reviewed within thirty (30) calendar days by the Company.

If you believe that the Company is not fulfilling its obligations with regard to your personal data, you may file a complaint or submit a request to the competent authority.

In France, the competent authority is the CNIL, to which you may submit a request electronically by clicking on the following link: https://www.cnil.fr/fr/plaintes/internet.

9. Final Provisions

Art. 9.

This Policy was adopted by a decision of the company Neo Cyber Camp dated January 14, 2025.

The Policy is published on the website https://www.neocc.co/ for the information of Users.

The Company may make changes to this Policy at any time and without prior notice.

The updated Policy will then be published on this page, which the Company invites you to consult regularly: https://neocc.co/privacy

Continued use of the website after publication of the update constitutes your tacit acceptance of this Policy.