Privacy Policy - Updated March 31^st, 2026

Data controller:

Personal data collected via the ‘Steps for Cancer Support 2026’ mobile application (hereinafter “SFCS) is processed by:

OSE, a simplified joint stock company with its registered office at 33 rue du Général Leclerc, 92130 Issy-les-Moulineaux (hereinafter ‘OSE’ or ‘we’), in its capacity as data controller within the meaning of Regulation (EU) 2016/679 of 27 April 2016 (GDPR).

Contact: assistance@lebouging.com

Application manager: SFCS represented by its current President Laurent Sturtz

Publication Director: SFCS represented by its current President Laurent Sturtz

Data Protection Officer (DPO): SFCS represented by its current President Laurent Sturtz

Application content host: This application is hosted in France, in Paris, on servers belonging to Clever Cloud, a company based in France.

ARTICLE I. WHAT PERSONAL DATA MAY BE COLLECTED?

The SFCS Services collect information about you, including personally identifiable information, if you choose to share it with the SFCS Services, register an account, or track, complete, or download activities using the SFCS Services. The SFCS also collects information about how you use the SFCS services. This information includes:

·         Mandatory:

o   Name and surname

o   Email address

o   Encrypted password

o   Physical activity information

o   Information about the device(s) used

·         Optionally:

o   Membership in a group / team

o   Messages sent on the chat

o   For the rankings:

§  Title

·         Photo taken to publish on the Social Wall (photo temporarily stored on our servers and then automatically deleted after 3 days)

·         IP address (part of the technical information to monitor the operation of the application)

Health Connect Data / Apple Health

• The app accesses your physical activity data from your Health Connect app (for Android users) / Apple Health (for iOS users). The data concerned is only the following: Steps
• This data is used to display your performance in the form of counters and activity summaries by hour and day. The total data collected is shared with other users in order to establish rankings.
• This data is not used for any purpose other than the functional needs of the application
• Before accessing your data, the app explicitly asks for your permission. You can revoke this permission at any time in the Health Connect / Apple Health settings.
• The data collected is subject to sufficient security measures so that it is not stolen, destroyed, modified or revealed
• You may request the deletion of your account in the app, which will result in the deletion of your data at the end of the challenge. You can explicitly request that your data be deleted immediately (including during the challenge) by contacting the challenge organization via the email address provided in the app (or on the Google Play Store page for Android users)

ARTICLE II. WHO COLLECTS YOUR PERSONAL DATA?

When you fill out a form on the "SFCS" mobile application or on the website(s) of the domain name "SFCS", you expressly agree that your personal data may be collected by or on behalf of OSE.

ARTICLE III. LEGAL BASIS AND PROCESSING OF YOUR PERSONAL DATA

By submitting a request form on the "SFCS" mobile application or on the website(s) of the domain name "SFCS ", you expressly give us your consent for your personal data to be processed in order to provide you with services or support as offered on the site.

As the processing of your personal data is based on your consent, you have the right to withdraw your consent at any time.

We use all the information we have to help us operate, provide, improve, understand, personalize, support, and market our Services.

We operate and provide our services, which includes providing user support and improving, correcting, and personalizing our services. We understand how people use our services, and we analyze and use the information we have to evaluate and improve our services, research, develop and test new services and features, and perform troubleshooting activities. We also use your information to respond to you when you contact us.

The SFCS services collect the information you provide to us. You can join challenges, contests, and communicate with other members. You may also provide additional personal information.

The SFCS also collects a variety of technical information, including device and network information, as well as cookies, log files, and analytics services.

On the "SFCS" website, we use cookies to operate, provide, improve, understand, and personalize our services.

ARTICLE IV. PURPOSE OF THE PROCESSING

The main purpose of collecting your personal data is to provide you with a safe, optimal, effective and personalized social and fun connected physical activity experience. To this end, you agree that we may use your personal data to:

• To provide our services and facilitate the operation of our services, including by conducting audits about you to do so;
• Troubleshoot any problems in order to improve the use of our site and services;
• Personalize, evaluate, improve our services, content and documentation;
• Analyze the volume and history of your use of our services;
• Inform you about our services and those of our partner companies if you have authorised us to receive our newsletter on SFCS and your company has expressly authorised us to do so on the SFCS company version
• Prevent, detect, and investigate any potentially prohibited and illegal or anti-practice activities, and ensure compliance with our Terms of Use and Mailing Policy;
• To comply with our legal and regulatory obligations.

Newsletter and email marketing

An unsubscribe link is included in every newsletter and marketing email we send.

For those of you who have explicitly opted in to receive the SFCS newsletter, you can easily unsubscribe by following the unsubscribe links in each of these emails.

Analysis Service

The services of the " SFCS " website use analytics providers such as Google Analytics to understand how the services are used and to help us improve the services.

ARTICLE V. RETENTION PERIOD OF YOUR PERSONAL DATA

We only keep your personal data for as long as necessary to achieve the purposes pursued, except to meet legal and regulatory obligations.

We delete the personal data we collect after a certain period of time. Concerning personal data collected through the SFCS mobile application or the SFCS.com domain name sites, the time it takes to process the request, with in any case a limited holding period.

ARTICLE VI. RECIPIENTS OF YOUR PERSONAL DATA

Your personal data is strictly confidential and may not be transferred to a third party for commercial and/or promotional purposes. Only persons duly authorised by OSE by virtue of their position may access Your Personal Data, without prejudice to their possible transmission in the cases required by the applicable regulations.

All persons under the responsibility of OSE, who have access to Your Personal Data, are bound by a commitment to confidentiality.

You provide your information when you use our Services, we share your information to help us operate, provide, improve, understand, personalize, assist, and market our Services.

Services tiers

When you use third-party services integrated with our Services, they may receive information about what you provide to them. If you interact with a third-party service linked to our Services, you may provide information directly to that third party. Please note that when you use third-party services, the terms and privacy policies of those third-party services govern your use of those services.

Recipient of personal data

SFCS services do not sell or rent your personal data to third parties for marketing purposes, under any circumstances.

In addition, SFCS services do not disclose your personal data to third parties, unless

1. you (or your account administrator acting on your behalf) make the request;
2. disclosure is required to process your requests;
3. the challenge organiser (Cancer Support Switzerland) shall submit the request;

Information Shared by You

If you link your SFCS account to other social networks and share your activities there, they will be visible outside of the services. If you choose to share or publish your location information through these third parties, it is possible that bad actors may gain access to this information. You should exercise caution when sharing information through third parties and you should carefully review the privacy practices of such third parties.

ARTICLE VII. SECURITY OF YOUR PERSONAL DATA

The protection of your personal data is important to us. Your Personal Data is collected, stored, processed and transferred in strict compliance with the purposes for which it was collected and in accordance with the strict rules established by this privacy policy, which complies with all the obligations of the European Regulation (GDPR) relating to personal data.

OSE implements technical and organizational measures to ensure that Personal Data is stored as securely as possible for the time necessary to achieve the purposes pursued, in accordance with applicable law.

Thus, and in accordance with the GDPR, SFCS undertakes to take all necessary precautions to preserve the security of data and in particular to protect it against any accidental or unlawful destruction, accidental loss, alteration, dissemination or unauthorised access, as well as against any other form of unlawful processing or communication to unauthorised persons.

To this end, SFCS implements industry-standard security measures to protect personal data from unauthorized disclosure.

In addition, in order to avoid any unauthorized access, to guarantee the accuracy and proper use of the data, SFCS has put in place appropriate electronic, physical and supervisory procedures in order to safeguard and preserve the data collected through its services.

Even so, no one can consider themselves completely safe from a pirate attack. This is why in the event that a security breach was to impact you, SFCS undertakes to inform you as soon as possible and to make its best efforts to take all possible measures to neutralize the intrusion and minimize its impact. In the event that you suffer damage as a result of the exploitation of a security breach by a third party, SFCS undertakes to provide you with all the necessary assistance so that you can assert your rights.

It should be borne in mind that any user, customer or hacker who discovers a security breach and the operator is subject to criminal sanctions and that SFCS will take all measures, including through the filing of a complaint and/or legal action, to preserve the data and rights of its users and its own and to limit the impact as much as possible.

By adopting the recommendations of the French authorization for the protection of personal data concerning the level of security of passwords, the password of your account must contain at least 8 characters, 1 digit, 1 number and 1 special character.

We take very strict measures to protect the collection, transmission and storage of the data we collect. These measures depend on the sensitivity of the data we collect, process and store. SFCS uses a company that is an industry leader in auditing online safety and services to enhance the security of our services. The Services are registered with site identification authorities so that your browser can confirm the identity of the SFCS Services before sending any personally identifiable information. In addition, SFCS' secure servers protect this information using advanced firewall technology.

To ensure that these measures are effective in preventing unauthorized access to your private information, you should be aware of the security features offered to you by your browser. You must use a browser with security features to submit your credit card information and other personal information to the Services. Note that if you don't use an SSL-enabled browser, you run the risk of your data being intercepted.

Most browsers are able to notify you if you switch from secure to unsecure communication, if you receive invalid credentials for the services you communicate with, or if you send information over an unsecured connection. SFCS recommends that you enable these features in your browser to ensure that your communications are secure. You can also monitor the URL of the services you visit (secure URLs start with https:// rather than http://), as well as your browser's security symbol to see if you are communicating with a secure server. You can also view the security certificate details of the services you're connected to. Check the validity of any service you connect to through secure communications.

ARTICLE VIII. YOUR RIGHTS

Subject to the limits provided for by the regulations in force, You have the following rights with regard to your Personal Data:

• The right of access – you have the right to obtain confirmation from us as to whether or not your personal data is being processed by us, as well as certain other information (similar to that provided in this Privacy Policy) about how it is used. You also have the right to access your personal data, by requesting a copy of the personal data concerning you. This allows you to know and verify that we are using your information in accordance with data protection laws. We may refuse to provide information where doing so, may reveal personal data about another person or adversely affect another person's rights.
• The right to rectification – you can ask us to take steps to correct your personal data if it is inaccurate or incomplete (for example, if we have the wrong name or address).
• The right to erasure – also known as the "right to be forgotten", this right allows you, in simple terms, to request the erasure or deletion of your personal data where, for example, there is no compelling reason for us to continue using it or its use is unlawful. However, this is not a general right to erasure and there are some exceptions, for example when we need to use the information to defend a legal claim or to be able to comply with a legal obligation.
• The right to restrict processing – you have the right to "block" or prevent further use of your personal data when we are evaluating a request for rectification or as an alternative to erasure. Where processing is restricted, we may still retain your personal data, but we may not use it further.
• The right to data portability – you have the right to obtain and re-use certain personal data held by third parties for your own purposes in different databases (which are separate data controllers). This only applies to personal data that you have provided to us, that we process with your consent and for the purpose of fulfilling the contract, which are processed by automated means. In this case, we will provide you with a copy of your data in a structured, commonly used and machine-readable format or (where technically and financially feasible) we may transmit your data directly to another controller.
• The right to object – you have the right to object to certain types of processing, for reasons relating to your particular situation, at any time, to the extent that such processing takes place for the purposes of legitimate interests pursued by our company. We will be permitted to continue processing personal data if we can demonstrate that there are compelling legitimate grounds for the processing which override your interests, rights and freedoms or if we need it for the establishment, exercise or defense of legal claims.
• The right to withdraw your consent – where we process your personal data on the basis of your consent, you have the right to withdraw your consent at any time. However, such withdrawal does not affect the lawfulness of the processing that took place prior to such withdrawal.
• The right to provide us with instructions on the use of your personal data after your death – you have the right to provide us with instructions on the management (e.g. retention, erasure and disclosure) of your data after your death. You can change or revoke your instructions at any time.

ARTICLE IX. COOKIES

When you visit the Services, a cookie will be stored on your computer. A banner on the SFCS websites will tell you that we use cookies to improve your experience. Typically, cookies and similar items work by assigning your computer a unique number that has no meaning outside of the SFCS services. The cookies of the SFCS services do not contain any personally identifying information; SFCS services use them to personalize your experience. The SFCS services may also use cookies to help it deliver content specific to your interests. In addition, after you enter your member ID and password during a session on the Services, SFCS Services records this information so that you do not need to enter it repeatedly during that session. Most browsers automatically accept cookies. The only way to "opt-out" of the collection of any information through cookies or other tracking technologies is to actively manage the settings on your browser or mobile device. Check the technical information of your browser or mobile device to learn how to delete and disable cookies and other tracking/recording tools. If you have any questions about how to opt-out of cookies and other tracking/recording tools, contact us at assistance@lebouging.com. Refusing cookies may make certain features of the Services unavailable. The SFCS Services may also use your IP address to identify you, administer the Services, and diagnose problems with the SFCS Services' servers.

When you access third-party sites advertising on the SFCS services or possibly when you view these advertisements, cookies may be set by the companies serving these advertisements. These third parties that may use cookies as part of the SFCS services (partners or other third parties providing content or services available on the SFCS services sites) are responsible for the cookies they set and it is their cookie provisions that apply. The SFCS services assume no responsibility for the possible use of cookies by these third parties. For more information, you are advised to consult their cookie policy directly on these advertiser or third-party sites.

ARTICLE X. UPDATES TO OUR POLICY

We may modify, supplement or update this Privacy Policy in order to take into account any legal, regulatory, jurisprudential and/or technical developments.

In the event of a significant change to this Privacy Policy (relating to the purposes of processing, the Personal Data collected, the exercise of rights, the transfer of users' personal data and our Cookie Policy), SFCS undertakes to inform Users by any written means and will update the "last modified" date at the top of this Privacy Policy.

By continuing to use our services, you confirm your acceptance of our Privacy Policy as amended. If you do not agree with our Privacy Policy, as amended, you should stop using our services. Please feel free to review our Privacy Policy from time to time.

ARTICLE XI. HOW TO CONTACT US?

If you have any questions about this privacy policy, the use of your Personal Data and/or to exercise your rights as described above, please contact us by email at assistance@lebouging.com or by post at the address below:

OSE

33, rue du Général Leclerc

92130 Issy-Les-Moulineaux

Before we assess your application, we may ask you for additional information to identify you. If you do not provide the requested information and, as a result, we are unable to identify you, we may refuse to comply with your request.

If you are not satisfied with our response to your complaint or if you believe that the processing of your Personal Data does not comply with data protection laws, you may lodge a complaint with the relevant data protection supervisory authority. The Commission Nationale de l'Informatique et des Libertés (CNIL) is the data protection authority in France.