We decided to present it as a layered text: if one topic is of specific interest for you, you are free to click on expandable links to get additional details, know how to set some Privacy Choices or to exercise your rights.

Most of the time, the policy remains accessible from the bottom of our website pages & app screens, from the menu or the taskbar, from your account page, or along with Legal Information.

You will find lots of relevant definitions in article 4 of the GDPR.

ID side team thinks that the following ones are particularly relevant for non experts.

GDPR or General Data Protection Regulation: This is the EU Regulation adopted to strengthen your privacy rights and make those consistent EU-wide (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data). It became binding on 25 May 2018.

Personal data: "any information relating to an identified or identifiable natural person (‘data subject')", that is to say that "can be identified, directly or indirectly", notably using an "identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person" (art. 4).

DPO or Data Protection Officer: The DPO of an entity processing personal data ensures such processing is carried out in compliance with all applicable data protection rules and facilitates the exercise of your rights.

DPAs or Data Protection Authorities, also called in the GDPR "Supervisory Authorities" (SAs): Those national Authorities are "public authorities" "responsible for monitoring the application of" the GDPR "in order to protect" our "fundamental rights and freedoms" to data protection and to privacy (art. 51).

Consent: "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her" (art. 4).

Profiling: "any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements" (art. 4).

ID side carries out data processing on its own behalf and, as such, implements "appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with" the GDPR. "Where necessary", we have to review and update such measures (art. 24 of GDPR).

A DPO is not mandatory for all entities processing personal data. At this stage, it is not for us: each member of our team is fully dedicated to handling DPO’s missions, being accountable and fully complying with the General Data Protection regulation (GDPR). In case you think we don’t and you have already shared a comment, just let us know: dpo@idside.eu!

What's specific in our Privacy Policy? The purpose of our app is to gather our Privacy Choices so that we share such Choices and have them taken into account. Therefore, contrary to the traditional approach concerning privacy monitoring online, which basically is designed service per service, our approach is user-centric: we take utmost account of the Privacy Choices you set on ID side by-default, freely and unambiguously.

If needed, we will be the ones coming back to you & asking for additional information or specific consents.

The only personal data that we require from you are those strictly necessary for ID side to provide you with its services (those are flagged with * when filling your account), that is to say:

• - your name or your pseudonym;
• - one valid email, that you use to sign on ID side (and the password you set along with it to use ID side in a secured way);
• - whether you are less than 15.

All other information that we ask from you is totally optional: it aims at getting relevant statistics about our collective Privacy Choices and the reasonable expectations of our community.

The only personal data that we ask from you is strictly necessary for ID side to provide you with its services.

When creating an account, mandatory data collected is:

• one valid email, that you use to sign on ID side.
• a password (we do not access).

We also want to outline that we will attribute an "ID side identifier" to you (UID). Such identifier will help us facilitate the sharing of your Privacy Choices, if any. We will also know when you install our extension(s) and about the plugins you use to share on social networks.

Data to provide optionally include privacy preferences, interests for certain categories of products, prices, discounts or brands but also algorithmic/AI choices. It could also include information you share with us when using our contact form online or when contacting our DPO at dpo@idside.eu.

Metadata linked to your activity on our website might aggregated.

ID side gathers some information that you might not consciously or voluntarily provide us with, such as connexion information (i.e. IP address) or other information (i.e. session cookie). We do not use such data for any other purpose than potential security checks.

As shown on your "See me as" screen, and as usual, the picture you freely upload in your account (and which remains totally optional) and your name/pseudo will be accessible for all other ID siders, as well as your Privacy Profile and your Privacy Choices (meaning that anyone will see it, even people not signed-in ID side).

There are 6 legal grounds identified in the GDPR (art. 6. 1) that are eligible to process personal data (contract, consent, legal obligation, public interest, vital interest or legitimate interest).

Depending on the purposes aimed at for each specific processing, controllers have to identify which legal ground applies. This is what we do here-below.

Purpose 1: To provide you with our service

After ID side team carefully assessed each option we concluded that:

Today, the data processing we carry out remains in line with the services we propose, and that you sign-in for, because there are no specific provisions in our Terms of services that are likely to breach your reasonable expectations and because our "processing is necessary for the performance of a contract to which {you are} party" (article 6 1- b) of GDPR). This is why, we retain the contractual legal ground.

Purpose 2: To carry out statistics

We may also process your data to obtain reliable, updated and relevant statistics, and render a better service to you. We framed it in our Terms of services and therefore rely on the contractual grounds (article 6 1- b) of GDPR).

Other Purposes: To monitor HR, administrative, security, technical, logistical & any other tasks

There are lots of reasons for which we process additional personal data, on a regular basis and for legitimate interests. ID side counts among those purposes HR, administrative, security, technical, logistical & any other tasks, for which we rely on the legitimate interest ground (article 6. 1- f) of GDPR).

Any additional processing that we might envisage will either be added in this Privacy Policy and based on one of the 6 legal grounds identified here-above, or processed in a compatible way with "the purpose for which the personal data are initially collected" (article 6. 4- of the GDPR).

Functional Cookie (or Session Cookie

Today, ID side collects one by-default cookie: the Session cookie. These Cookies allow you to sign in and stay logged from one page to another on the concerned website, before you decide to log off.

This Cookies is a by-default Cookie because it is essential to enable you to move around our website and use it. For instance, sticking to the language you pick might depend on such Cookies. Also, without the session Cookies, you can't log in nor be provided with a secured website.

Persistent "log-in" Cookie

ID side offers the possibility to use another functional Cookie, which is not a Cookie "by default" but that our team has retained as useful and potentially appreciated by most of you: a persistent "connection" Cookie - also called "log-in" Cookie, which allows you to stay connected from one session to another. In a nutshell, it avoids logging in each time you come back to our web app.

We inform users of the presence of this Cookie. To validate this Cookie from the outset, users should activate or click on the “Remember me” button proposed when signing in.

Cookies from embedded services on ID side

In certain versions of ID side, third parties services, such as Vimeo, Matomo or Stripe are used. Therefore, we invite you to go and read policies respectively applicable each service.

Cookies from social networks

As a crowdsourced web app, ID side offers some mainstream social networks' functionalities and gives you the opportunity to share your Privacy Choices and recommend our web app in social networks.

If you visit our web app and plan to use our social plug-ins, we pass on the URL to the social network you enabled.

In case you want to be put in capacity to use any embedded service provided on ID side, and do not deactivate any Cookies a priori and by-default, we recommend that you read the privacy information of the respective social networks carefully, notably:

in their own privacy policies, available here-below:

• Twitter
• Facebook
• Instagram
• Snapchat
• Linkedin
• Tiktok

Cookies storage on ID side

Cookies are stored either temporarily for one session only (such is the case of our session Cookie) or permanently on the hard disk (such is the case for "log-in" Cookies).

Cookies that ID side do not use: Advertising Cookies

Some websites use Cookies to deliver adverts more relevant to you and your interests. Those are targeting or advertising Cookies, also used to tailor effective advertising campaign based on the interests you show online. They are usually placed by advertising networks along with the website operator's permission.

ID side will not use such Cookies on its website.

Your Cookies preferences outside of ID side

ID side Privacy Choices include a few questions on your Cookies preferences. It is there to help you.

For more information on the setting of Cookies, you can access the following webpages:

• Google Analytics tools opt-out
• Internet Explorer™ page
• Safari™ (Desktop) page
• Safari (Mobile) page
• Chrome™ page
• Firefox™ page
• Opera™ page
• Opera Mobile page

Even if such option is not implementable on all websites, you can also set your browser so that it sends a code indicating to websites that you do not wish to be tracked. ('Do Not Track' option):

• Google Chrome™
• Microsoft Internet Explorer™
• Mozilla Firefox™
• Opera™

Finally, you can find helpful resources to learn about advertisers' use of Cookies:

• European Interactive Digital Advertising Alliance (EU)
• Internet Advertising Bureau (US)
• Internet Advertising Bureau (EU)
• Internet Advertising Bureau: Guide to online advertising and privacy

Caveat!

Be aware that if you do turn all Cookies off in your browser, you might not be able to fully benefit from basic features such as automatic log-in on our website.

Comments, suggestions or requests on our Cookies Policy

Would you want to share any comment or suggestion on our Cookies monitoring, please do not hesitate:

• to share on contact@idside.eu or,
• for specific & individual concerns or legal requests, send us an email at dpo@idside.eu.

In case you exchanged with us and you still want to send a complaint to any competent Data Protection authority in EU, please find the official list here.

Updates of our Cookies Policy

We will update this Cookies Policy if/when needed. You can see the date of the last change carried out at the top of this Policy.

Concretely, you have the following controls:

• You are required the minimal amount of data (email and password) for us to provide you with our services. You can set your account without providing additional information.
• You monitor the notifications we send you;
• You set all your Choices the way that best suits you, including algorithmic models and ponderations, notably regarding how we should process your personal data;
• You can delete your account whenever you want.

On the long run, ID side processes your personal data to crowdsource so that, one day, we all benefit from a user-centric privacy monitoring tool online – e.g. setting our Privacy Right(s) in a few clicks and having those follow you wherever you browse.

On the short run, we use your personal data to:

• Help you share your individual privacy reasonable expectations in a few clicks – i.e. through a JSON file or using ID side extensions;
• Provide on-time reliable information to you based on your collective reasonable expectations;
• Provide our service to you in a secured way;
• Detect, prevent, and mitigate risks related to the overall security of our website or better the technical performance of our services;
• Send you notifications you decided upon;
• Fine-tune the design of our services so that they best suit you;
• Identify new services to design so that you better monitor your privacy online;
• Enforce any potential legal claim – which could be based on violations of our Terms of services.

In case we plan to further use the personal data that you already provided us with, and we reasonably doubt it remains in line with your expectations, we will come back to you and ask you to clearly consent to certain processing of your personal data (i.e. for any further use of personal data falling aside your reasonable expectations).

Also, quite importantly:

• We gather our personal data fairly and only use it when needed and in line with what we understand as being our/your reasonable expectations.
• We do not process our/your personal data for reasons that are incompatible with the original purpose of collection (article 6.4 of GDPR).
• We protect our personal data by implementing appropriate technical and organisational measures that we regularly check with our developers.
• Our legal documentation (Privacy Policy, our Cookies policy, legal mentions, Terms of services) aims at complying with applicable laws but "most of all" to be transparent, help you enforce your rights & get your feedback.
• We hold ourselves accountable for helping you understand & enforce your rights.

We do not plan on sharing any of your personal information with third parties without such sharing being directly required by you, in line with your reasonable expectations or without getting any specific consent from you.

Of course, to carry out our mission, we will have to work hands in hands and along with some service providers, developers or domain administrators, processors or potential partners (i.e. competent public bodies or digital companies). We will share de-identified data (i.e. stats) instead of identified data each time it is possible (such will not be the case when, for instance, our developers will have to access our database).

We do not plan modification of our legal status, nor that your data will be further used. No additional purpose (that could diverge from your reasonable expectations) will be served without your specific additional consent.

ID side processes and stores all personal data you provide us with for the duration you have an ID side account. Therefore, if you are likely to use our services for a number of years, we will store your data accordingly, implementing technical and organisational measures to protect such data from any risk.

Concerning Cookies, log data or metadata, we will not store it for more than 13 months.

Concerning ID side’s extension, activity data (such as downloads, update checks, notifications, issue reports and data in connection with uninstalling) will not be stored more than 30 days.

Finally, any Crash reporting (or “crashlytics” data) will be retained for 180 days maximum.

As a rule of thumb, we will regularly check the requirements set by the French Data Protection Authority (CNIL), notably for additional processing serving HR, administrative, security, technical, logistical or any other tasks. Would you want to call our attention on any specific point, do not hesitate to contact us at contact@idside.eu.

Would there be any additional legal requirements we should comply with, we could retain your information to comply with such legal purposes. Additionally, retention periods may be extended if such data is necessary to assert, exercise or defend a legal claim.

You can delete your registration and erase any associated information or data as best suits you.

We know that it is difficult for parents & children to monitor their privacy online in full compliance of applicable legal requirements, notably because, in France for instance, minors being less than 15 cannot legally consent online by themselves. Parents (or legal guardians at large) have the obligation to do so on their children's behalf.

Depending on the service provided and the privacy risks at stake, each entity has to determine its own rules, and to tip the right balance between privacy and safety online.

Based on the preceding, what we propose concerning ID side services can be summarised as follows:

• We do not intend to collect information from children who are under legal age to consent online (i.e. 15 in France) without their parents being at their side, to help them understand & fill their Privacy Choices.
• If you are under 15, there is no problem in using www.idside.eu, as far as your parents (or legal guardians) help and assist you to use our website/app. In case you did not do so already, please, just go & get them so that you enjoy ID side services legally.
• If you are parents (or legal guardians), it could be of some help to kick off conversations with your children and help them set their privacy & safety online along with you. ID side extension is here to help.
• In specific cases only, we will check on parents' valid consent with reasonable means. In those instances, depending on the privacy/safety assessment we will carry out, we might ask you and your children additional information. Based on our exchanges, such requirement might include IDs' scans (that we would not store but just check to validate your IDs).
• Despite all previous specifications, should we learn that we have collected the personal information of a child under 15 (or equivalent minimum age to lawfully consent online in a given country) without legal guardian's assistance, we will take steps to ask for regularisation or, after a reasonable time and in case of reasonable doubts, to delete all data concerned.
• We welcome any suggestion that you might have on framing this process in a proportionate and efficient way at contact@idside.eu.
• We invite any parent or legal guardian that would need to access, rectify or erase data associated with their children to contact us at contact@idside.eu.

Regarding log data and metadata, when you use ID side, we automatically collect the IP address of your computer or device. But we actually do not store it.

ID side is a tracking-free environment. We use data about your activity on ID side only to help you set and control the recommendations we will provide you with. In practice, it means we give you algorithmic control about the way products/offers are displayed to you, notably through basic settings.

In case we develop AI-embedded features, or categorise any activity track based on AI classifications, we will inform you accordingly and facilitate the exercise of your rights to transparency and to explainability.

When you install the ID side extension on your device, we collect and process additional personal data such as:

• Extension update checks (as your browser periodically checks for updates of all your extensions, including ID side’s): your browser version, operating system, date of last update and your IP address will be transmitted during updates’ check. Updates for Safari/Chrome are handled by Safari Extensions website and are therefore subject to Apple/Google Privacy Policies;
• Subscription updates;
• Other data that you allow us to access when installing the extension for the purpose of making it work (e.g. whether cookies are allowed for the given webpage, whether JavaScript is enabled on the given webpage, whether private mode is used for the given webpage, a list of your installed plug-ins, including file name, name of plug-in, a list of your Companies & commercial preferences).
• Uninstallation information: when uninstalling ID side’s extension, ID side will collect some fingerprinting information (e.g. browser language, browser type, operating system and version, number of notification downloads, extension version, details on any corruption of configuration).

It is important to note that, in case of malfunction of our extension on Safari, and only in such case, we might collect some data for analysing crashes (some calling it “crashlytics”). Data would then include: UUID, crash traces, Device type, Application ID, Instance IDS, App and/or extension version, Free space, Free ram, A timestamp of when a crash happened.

We also of course process data based on your activity on ID side (i.e. when you identify commercial preferences or when you fill or modify your Privacy/AI settings).

We maintain an online presence on different social networks and platforms to communicate, crowdsource & inform you about ID side (i.e. TikTok).

Our website enables the use of social plugins ("plugins") provided by social networks -such as Twitter, Linkedin, Facebook, Instagram or Snapchat.

When clicking on "Share" and on one of the plugins buttons that we provide you with, a new window of your browser opens and calls up the page of the service provider concerned, so that you can share on it (if necessary after entering your login data).

Each provider sets the purpose and scope of data collection, further processing and use of your data in their own privacy policies, available here-below:

- Twitter

- Facebook

- Instagram

- Snapchat

- LinkedIn

Additionally, ID side could use, as our activity develops, services to allow the playback of audio and video files. When you access such content, the embedded player will establish a connection to the video website in case we do not store the video locally (i.e. Vimeo or Youtube) so that the video or audio file can be transmitted and played. Your logging data will then be transmitted to the video provider, acting from then on as a data controller. Therefore, further information concerning any further processing of your data by such services providers is available on applicable privacy policies.

Our data and your personal data are stored in France.

Our website host is OVH SAS, 2 rue Kellermann - 59100 Roubaix - France (RCS Lille Métropole 424 761 419 00045).

We do not transfer data outside of EU.

We are fully committed to processing your personal data fairly and in a transparent & accountable way. It is important to us that you freely exercise your rights.

Here are some of the rights GDPR provides you with and that we are eager to helping you enforce:

• Right to transparent information (recital 58 and art. 5 & 12. 1.);
• Right to data minimisation, accuracy of the data processed about you, storage limitation, integrity & confidentiality and right that your personal data would be processed by entities acting in an accountable way (art. 5);
• Right to be provided modalities "facilitating the exercise" of your rights, so that they become "enforceable and effective"(recitals 59 & 114 and art. 12.2);
• Right to information (art. 13 & 14);
• Right to identify the legal valid ground on which is based the processing of your personal data (art. 6);
• Right to be asked for a specific consent to the processing of your personal data with no "clear imbalance between the data subject and the controller" (recital 43);
• Right to ask the entity processing your personal data to demonstrate you provided such consent (art. 7. 1.);
• Right to withdraw consent (art. 7. 3.);
• Right to ask the entity processing your data to demonstrate that your fundamental rights & interests are overridden by the legitimate interest of the entity carrying out such processing (recitals 47 & 69);
• Right that your personal data is not further used for incompatible purposes (recital 50 and art. 4.);
• Right of access (art. 15);
• Right to rectification (recital 65 and art. 16);
• Right to erasure or "right to be forgotten" (recital 66 and art. 17);
• Right to restriction of processing (recital 67 and art. 18);
• Right to data portability (recital 68 & art. 20);
• Right to object to direct marketing (recital 70 and art. 21. 2.) -even if we do not carry out direct marketing operations, we help you share your Privacy Choices with others in this regard;
• Right to object based on your "particular situation" (art. 21. 1.);
• Right not to be subject to a decision "based solely on automated processing and which produces legal effects" on you "or similarly significantly affects" you (recital 71 and art. 22. 1.)- again, even if we do not carry out direct marketing operations, we help you share your Privacy Choices with others in this regard;
• Right to be specifically informed, to obtain human intervention, know about the logic and contest a decision based solely on profiling -or any automated decision-making that would significantly affect you (recital 71 and art. 22) -still to help you share your Privacy Choices with others in this regard;
• Right to have privacy risks mitigated (recital 83 and art. 32);
• Right to be informed about any data breach that is likely to result in a high risk fo you (recital 86 and art. 34);
• Right to lodge a complaint with a competent DPA (recital 141 and art. 77);
• Right to lodge a complaint before a judge (recital 141 and art. 79);
• Right to join a collective action (recital 142 and art. 80);
• Right to obtain damage compensation in full, the processor or controller being "held liable for the entire damage" (recital 146 and art. 82);

Regarding your right to object, you have the right to do so on grounds relating to your particular situation, at any time, to any processing of personal data concerning you (article 6(1) -e) or -f) of GDPR). In case you do validly exercise such right, we will no longer process the personal data concerning you, unless we demonstrate it is necessary for the establishment, exercise or defence of legal claims.

We consider this Privacy Policy as being much more than a legal compliance tool. It is not a "checking the box" exercise. We would like this document to help us staying in line with both your expectations and our culture (user-centric privacy monitoring).

ID side is designed to help you set your Privacy Right(s). We will always welcome that you share constructive feedback on the way you would like your personal data to be processed. Just exchange with us.

We commit to review all your inputs and, if necessary, to take steps to change the way we process data in order to meet your reasonable expectations. Additionally, our team will brainstorm on all inputs received at least twice a year.

In case you think that ID side is likely to breach one of the EU privacy rights listed above in any way, thanks for exercising your right, sending us an email at dpo@idside.eu. We will take steps to fix things. We will come back to you as soon as possible (of course, in less than 1 month).

Would it be necessary to exercise your rights (i.e. right of access), we might ask:

• Your name
• Your email address
• Your Postal address
• and optionally your ID (if you send us a copy of your ID, please black out all other information apart from your first and last name and address).

In case you exchanged with us and you still want to send a complaint to any competent Data Protection authority in the EU, please find the official list here.

In practice, providing sufficient security to all personal data that we process entails that we guarantee:

• their confidentiality (no disclosure to third parties);
• their integrity (no modification of your personal data by unauthorised third parties);
• their availability (authorised parties access your personal data whenever needed).

Our developers had to comply with CNIL RGPD guidelines for developers, that is to say implement basic good practices and put in place suitable safeguards (e.g. appropriate technical and organisational security measures against unlawful or unauthorised access or against accidental loss or damage to the integrity of your personal data).

Our website uses Hyper Text Transfer Protocol Secure (HTTPS), a communication protocol that is encrypted using Transport Layer Security (TLS), allowing for the authentication of websites accessed and protection of the confidentiality and integrity of your data while in transit.

We also asked our developers to update and test security on an ongoing basis.

Internally, we have restricted access rules to your personal data (e.g. need to know basis and in line with our Privacy Policy).

Your personal data will be processed by third parties (i.e. Data Processors) only if they do agree to comply with this Privacy Policy and all required technical and organisational security measures tied to it.

To help us keep your data secured, you can take basic steps:

• Use strong passwords as defined by CNIL or IDPC and keep your passwords strictly confidential (i.e. avoiding any obvious combinations such as birthday date or 1234).
• Install firewalls, anti-virus and anti-spyware software and be sure that those are fully updated.
• Log off from ID side when you are not using it.
• Flag any unusual activity (i.e. phishing emails requesting personal information).

In case you have no specific & individual Privacy concern(s), but you just want to share comments, you are welcome to share those: contact@idside.eu.

We are a crowdsourced web app, so we just can get better with your feedbacks, comments & concerns. Help us strive & better address any Privacy Concern. Just send an email at dpo@idside.eu

Our Privacy Policy is a living document: it will evolve notably based on your comments and on our capacity to take your feedback into account.

For your full information, we may regularly update this Privacy Policy. If such updates are not substantial ones (meaning they are not likely to breach your reasonable expectations or infringe any of your privacy rights), we will not send any specific notice to you. We will share the date of any last update on our policy and identify what where last changes carried out in a dedicated section.

In case certain changes are substantial and are likely to breach some of your reasonable expectations (or, if we provide no specific information to you.

Our Privacy Policy builds on your comments & feedbacks.

We will be happy to share here-below some of the crowdsourced inputs we receive from you, in a Q&A format.