PERSONAL DATA PROTECTION POLICY

I. Introduction

Generix Group SAS and the entities of the group (hereinafter “Generix” or “we”) may, in the course of their activities, process your personal data (or “personal information”). This policy establishes a standard regarding the protection of privacy and of personal data or personal information (hereinafter referred to as “personal data” or “PD”). This policy does not, however, replace applicable national laws and regulations on data privacy in the countries where Generix operates. Local laws will be complied with at all times.

Generix is committed to ensuring that the collection and processing of such PD is carried out in accordance with the General Data Protection Regulation (GDPR), the French Data Protection Act No. 78‑17 of 6 January 1978 as amended, in its current version, as well as the recommendations issued by the French Data Protection Authority (CNIL).

Generix is also committed to complying with any other personal data protection laws that may apply to its activities, such as:

• The Quebec Act Respecting the Protection of Personal Information in the Private Sector, amended by the Act to modernize legislative provisions as regards the protection of personal information (commonly known as Law 25), and the Personal Information Protection and Electronic Documents Act (PIPEDA);
• Brazilian Law No. 13.709 (General Personal Data Protection Law), known as LGPD;
• “Omnibus” privacy laws as well as the CCPA/CPRA (California Consumer Privacy Act and California Privacy Rights Act);
• The Portuguese national law No. 58/2019 of 8 August 2019 on the protection of personal data;
• The Romanian national law No. 102/2005 on the fundamental rights and freedoms of individuals;
• The Spanish national law No. 3/2018 on data protection and digital rights guarantees;
• And any other applicable regulation.

II. Scope

This policy provides you with information on how personal data is processed by Generix. It is regularly updated to take into account legislative and regulatory developments, as well as any change in Generix’s organization.

However, this policy does not cover:

• Personal data processed in accordance with the Generix website policy, which contains links to social networks, cookie management, and processing related to website use. For more information, consult our policy at the following link: Data privacy – Generix (generixgroup.com).
• Personal data processed as part of the recruitment process. For more information, you may consult our candidates’ privacy policy.

III. Generix Commitments

Generix undertakes to comply with applicable regulations for the personal data processing it carries out. Thus, Generix commits to respecting in particular the following principles:

1. Process your personal data lawfully, fairly, and transparently;
2. Collect your personal data for specific, explicit, and legitimate purposes and not process them in a way incompatible with these purposes;
3. Ensure that personal data processed is adequate, relevant, and limited to what is necessary for the purposes for which it is processed;
4. Guarantee an appropriate level of security for such data.

Each processing operation will be carried out taking into account data protection principles, in order to meet the principles of data protection by design and by default.

These commitments are reflected as follows:

1. Respect for your privacy;
2. Ensuring that the protection and security of your personal data is a key concern for Generix;
3. Working with trusted partners who provide sufficient guarantees regarding the implementation of technical and organizational measures so that processing complies with applicable regulations;
4. Respecting your rights as a data subject and making our best efforts to respond to your requests when they are justified.

IV. Generix Commitments as Data Controller

Generix, when acting as a data controller, is responsible for the personal data you provide directly or indirectly (i.e., via third-party sources).

1) Information to be provided when collecting personal data

When collecting personal data, Generix undertakes to inform you, in simple and clear terms, of the following:

• The purposes of the personal data collected;
• The personal data collected;
• The means by which this personal data is collected;
• The rights of data subjects regarding personal data;
• The legal bases;
• Where applicable, the identity of the third party for whom the collection is made;
• The name of third parties or categories of third parties to whom the personal data must be communicated;
• The possibility that the information may be communicated outside the European Union;
• The categories of persons who have access to this information within Generix;
• The retention period for this data;
• The contact details of the personal data protection officer.

In addition to this information, if a technology including functions allowing identification, location, or profiling is used, the following information must be provided beforehand:

• The use of such technology;
• The means offered to activate identification, location, or profiling functions.

2) Categories of personal data processed

As part of personal data processing, Generix collects and processes in particular the following categories of data:

• Identification data: title, last name, first name, date of birth, gender, photograph, signature specimen;
• Contact data (private or professional): postal address, email address, telephone number;
• Family-related data: marital status, number of children;
• Education and employment data: for example, education level, occupation, employer name, academic background;
• Status as a client, prospect, candidate, employee, or partner;
• Data collected during your interactions with Generix: comments, suggestions, collected needs, voice and image (e.g., during videoconferences, participation in webinars or workshops), email discussions, interactions on our website, social media pages, and your latest claims/complaints;
• Technical data: IP address, browser type and version, operating system used;
• Connection and tracking data: cookies and trackers on our websites, our solutions, and our social media pages;
• Depending on the location of the Generix entity acting as controller, Generix may be required to collect additional personal data due to a legal, regulatory, or contractual obligation, especially under commitments made to regulators or in the context of litigation.

3) Recipients of the data

Your personal data is communicated only to authorized and identified recipients.

May be recipients:

• Our company as the data controller,
• Our authorized personnel,
• Entities and companies within the group to which we belong, as processors or for the needs of establishing, concluding, and managing contracts, to facilitate necessary updates and corrections, and where applicable, to manage operational risks (risk assessment, security, prevention of unpaid invoices and fraud), and comply with their regulatory obligations.

May also be recipients:

• Service providers and processors acting on our behalf, such as hosting providers and suppliers of goods and services,
• Trusted partners whose products and services we distribute,
• Banks,
• Duly authorized judicial and/or administrative authorities, arbitrators, mediators, and certain regulated professions such as lawyers, notaries, or auditors, when specific circumstances require it (litigation, audit, etc.), as well as any current or potential party involved in Generix companies or activities, or its insurers.

4) Purposes and legal bases

The personal data processing carried out by Generix has an explicit, legitimate, and defined purpose.
The legal basis for collecting and using your personal data depends on the data collected and the context in which it is collected.

If you are located in the EU or if European regulations otherwise apply to you, your data may be processed for the following purposes:

• Purposes based on pre-contractual steps, contract conclusion, and contract execution:
  • Presentation of the characteristics of products and services sold by Generix and its partners,
  • Contract establishment and management of the contractual relationship, billing, follow-up,
  • Management and execution of services associated with subscribed products and services,
  • Debt recovery.
• Purposes based on legal and regulatory compliance, such as:
  • Combating tax fraud,
  • Combating money laundering and terrorist financing,
  • Combating corruption,
  • Tax control and declarations,
  • Risk assessment, particularly regarding security, prevention of fraud and unpaid invoices, and anti-money laundering,
  • Compliance with employment obligations (e.g., maintaining personnel registers, organizing staff elections, payroll management, reporting to public authorities),
  • Management of your rights,
  • Execution of payment operations,
  • Official requests from authorized public or judicial authorities,
  • Management of insolvency proceedings.
• Purposes based on legitimate interests, such as:
  • Presenting product and service characteristics in the context of software and solutions sold by Generix and its partners, sharing news about Generix’s offerings,
  • Carrying out prospecting and commercial outreach through information campaigns involving various media: online conferences, white papers, events, documentation, and offering you similar or complementary products and services,
  • Organizing games, contests, and commercial events such as trade shows or conferences,
  • Managing social media: event promotion, paid campaigns on LinkedIn, sharing Generix news,
  • Keeping proof of exchanges, operations, and transactions, handling complaints, and preparing defense in case of disputes,
  • Conducting opinion and satisfaction surveys.

These processing activities are implemented taking into account your interests and fundamental rights.

• Purposes based on consent, such as:
  • Sending you our offers electronically (email for services you do not have or outside your usual activity). You may unsubscribe at any time directly within the communication or through the methods outlined in the “exercise of your rights” section.
  • If you ask to no longer receive communications or later wish to receive them again, we will keep an electronic record of your request as proof.

For new processing activities not described above, we will inform you and, if necessary, seek your consent.

If you are not located in the EU, your country’s applicable legislation may:

• Require your consent for the collection and processing of your data. If so, we will request it,
• Allow us to collect, use, or disclose your data on a legal basis other than those mentioned above.

5) Retention periods

• For the time necessary to fulfill the purpose for which it was collected, or
• When personal data is collected for multiple purposes, until the longest retention period has expired, or
• To comply with legal or contractual obligations, or
• For the duration of the relationship between you and Generix, plus the applicable statutory limitation period,
• Or for longer when archived for claim and/or litigation management, regulatory compliance, or responses to duly authorized judicial or administrative authorities.

Thus, for billing purposes, data may be retained for up to 10 years after the end of the relationship or operation in France.
For prospects, data is retained for 3 years from collection or last contact (France).
For clients, data is retained for 5 years from contract closure (France).

Your personal data is therefore kept for the duration necessary to perform the purposes for which it is collected and processed. It is then securely destroyed or anonymized.

Since Generix is a group, retention periods vary depending on the entity acting as controller and local requirements.

6) Security measures

Personal data collected by Generix is processed according to the highest security standards, and we take all appropriate measures to protect its confidentiality.
However, Generix cannot guarantee the confidentiality of messages sent through open telecommunications networks.

Security is essential to our activities. When we use processors or service providers, we select them based on their ability to meet strict quality and security criteria.
We also impose security rules on processors and service providers that match our own requirements.

7) Transfers of personal data

Due to the international organization and activities of the group, personal data may be transferred outside your country of residence, in accordance with the purposes of the processing, to group entities, service providers, processors, or partners located within the EU, outside the EU, in Quebec or outside Quebec, in Brazil or outside Brazil.

In all cases, Generix ensures that such cross-border processing is protected by adequate safeguards, in accordance with applicable laws.

When transferring to a country outside the EU, Quebec, or Brazil, we use legal safeguards such as:

• Prioritizing “safe” countries offering adequate protection according to our national supervisory authority;
• If the level of protection is not considered adequate, relying on appropriate safeguards such as Standard Contractual Clauses approved by the European Commission or Binding Corporate Rules.

When required, Generix performs a Privacy Impact Assessment (PIA), or data protection impact assessment, to ensure personal data receives adequate protection. A written agreement must reflect the results of the assessment and any risk mitigation measures.

8) Exercising your rights

Under applicable regulations, you have several rights regarding your personal data.
Depending on applicable law, you have the following rights:

• Right of access: obtain information about your personal data, processing purposes, recipients, and receive a copy;
• Right to rectification: correct inaccurate or incomplete data;
• Right to erasure (“right to be forgotten”): under certain conditions, request deletion of your data;
• Right to object: under certain conditions, object at any time to processing, particularly for commercial prospecting and related profiling;
• Right to restriction of processing: under certain conditions, request limitation of processing (e.g., while accuracy is verified);
• Right to data portability: request transfer of your data in a usable format to yourself or a third party;
• Withdrawal of consent: if processing is based on consent, you may withdraw it at any time;
• Right not to be subject to automated decisions: including profiling. If automated decisions are used, you will be informed, and may contest/obtain human review.

You may manage your email communication preferences via the preference center. If you withdraw consent, you may no longer receive alerts or newsletters you subscribed to.

These rights are not absolute and are subject to conditions in applicable regulations. If your personal data is no longer required and we are not legally required to retain it, we will delete or anonymize it.

Any request to exercise rights must:

• Be made in writing,
• Be signed by the requester,
• Include the address for sending the response,
• Include proof of identity, where required.

• For EU residents: For any information or to exercise your rights, you may contact the Data Protection Officer (DPO) at dpo@generixgroup.com, or send a letter to:
  Generix Group
  For the attention of the DPO
  Tour Légende
  20 place de la Défense
  92800 – Puteaux
  France

• For Canadian/Quebec residents: You may contact the Personal Information Protection Officer (RPRP) at dpo@generixgroup.com or send a letter to:
  GENERIX GROUP NORTH AMERICA
  For the attention of the Personal Information Protection Officer (RPRP)
  1360 Rue Ropery
  #201, Montréal,
  QC H3K 2X3

Depending on your country of residence, local specificities may apply. They will be communicated by the relevant entities.

Finally, you may lodge a complaint with a supervisory authority:

• Europe: https://edpb.europa.eu/about-edpb/board/members_en
• France: CNIL – 3 place de Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07 – http://www.cnil.fr
• Belgium: https://www.autoriteprotectiondonnees.be
• Spain: http://www.agpd.es
• Italy: http://www.garanteprivacy.it
• Portugal: https://www.cnpd.pt
• Romania: http://www.dataprotection.ro
• Quebec: Commission d’accès à l’information du Québec (http://www.gouv.qc.ca)
• Brazil: ANPD – National Data Protection Authority (www.gov.br)

V. Generix Commitments as Processor

1) Processor role and legal bases

Generix, as a software editor, provides its clients—acting as controllers—with several services, notably in SaaS mode, through which said clients collect, analyze, share, or process your personal data via our solutions, applications, and services.

Within the use of the solution, Generix acts under client instructions as processor, based on the contract signed between Generix and its client, in a primarily business-to-business (“B2B”) framework.

2) Categories of personal data processed

Depending on the requests of clients acting as controllers, the following personal data may be collected:

• Supply Chain Execution (depending on the solution):
  Identification and contact details of customers to be delivered (name, surname, email, telephone, address, carrier, order lines, delivery appointments, delivery instructions), warehouse operators and/or truck drivers (employee ID, supervisor name, name, surname, email, nationality, spoken language, contractual status, license plate), proof of delivery, truck geolocation data, team/individual performance data, planning, free-text zones.
• B2B Integration (depending on the solution):
  Identification data, contact data, localization data (postal addresses), connection and content data (IP, login IDs, user recordings), free‑text zones.
• Omnichannel Sales (depending on the solution):
  Identification data (name, surname, date of birth), contact data (email, phone), postal address, loyalty-related data (recruitment date, store, last interaction, loyalty balance), economic data (transaction number, date/time, store, purchase details, vendor/cashier ID), payment information, configurable dynamic fields, free-text zones.
• Technical cookies used for solution efficiency, only for service delivery duration and not exploitable by Generix.

3) Purposes

When using solutions, Generix’s clients may process or instruct us to process your personal data for purposes such as:

• Supply Chain Execution:
  Warehouse operations management, transport operations, resource planning, stock replenishment calculation, statistics, performance analysis, maintenance and support.
• B2B Integration:
  Management of customer/supplier data flows: invoicing, file transfers, inter-application exchanges, maintenance and support.
• Omnichannel Sales:
  Loyalty program management, customer databases, promotions, sales recording, marketing targeting, archiving, maintenance and support.

4) Processing operations

• Generic operations:
  Collection, hosting, storage, maintenance, support, recording, access, transmission, extraction/replication for analytics, deletion and destruction.
• Specific to Supply Chain Execution:
  Delivery address generation, transport loading data, data exchange with external systems, order preparation analysis, RF or voice terminal operations, distance travelled, photos, geolocation.
• Specific to B2B Integration:
  Data flow control, digital invoicing and archiving (performed under contractual mandate), interoperability.
• Specific to Omnichannel Sales:
  Customer data recording/updating, import/export, API exchanges, loyalty calculations, cart management, sales registration, emailing of receipts.

5) Retention periods

Personal data collected from clients is retained for the duration of the commercial relationship (contract closure) and 5 years thereafter, according to CNIL recommendations.

6) Security measures

Personal data collected and processed by Generix is handled under the highest security standards. As before, confidentiality cannot be guaranteed for messages sent via open networks. Processors and service providers are chosen for their security capabilities.

7) Data transfers

As an international group, personal data may be accessed by any Generix entity, in accordance with applicable regulations.
Hosting may be:

• Within the EEA for most clients. In case of a processor outside the EU, we implement appropriate safeguards such as:
  • “Safe” countries with adequate protection;
  • Standard Contractual Clauses or Binding Corporate Rules.

For Generix North America clients, data may be hosted in Quebec, the USA, or the EEA. For transfers outside Quebec or the EU, appropriate measures and, if required, a PIA/impact assessment are performed.

8) Additional information and exercising your rights

For detailed information, contact the relevant client (controller). As Generix can only access client data under instruction, you must contact the controller to exercise your rights (access, rectification, deletion, portability, etc.). You may also lodge a complaint with your supervisory authority.

Last updated: March 24, 2026