Privacy Policy

MALOC SASU | SIREN 985054923 | RCS Paris | Version 2.0 | March 22, 2026

PRIVACY POLICY — MALOC

Version: 2.0 — Last updated: 22 March 2026
Effective date: 22 March 2026

MALOC SASU — SIREN 985054923 — RCS Paris — Share capital EUR 1,000 — Registered office: 15 quai aux fleurs, 75004 Paris
Email: contact@maloc.life — DPO: dpo@maloc.life — Website: https://maloc.fr / https://maloc.fr

PREAMBLE

MALOC SASU, a simplified joint-stock company with sole shareholder (société par actions simplifiée unipersonnelle) with a share capital of EUR 1,000, registered with the Paris Trade and Companies Register under SIREN number 985054923, with its registered office at 15 quai aux fleurs, 75004 Paris (hereinafter "Maloc"), is committed to processing its Users' personal data with the utmost rigour, in compliance with the applicable European and French legal framework.

This Privacy Policy (hereinafter the "Policy") is drafted in accordance with:

  • Articles 12 to 14 of Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (hereinafter the "GDPR");
  • French Data Protection Act No 78-17 of 6 January 1978 (Loi Informatique et Libertés), as amended by Act No 2018-493 of 20 June 2018 and Ordinance No 2018-1125 of 12 December 2018;
  • Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (the "ePrivacy" Directive), transposed into Article 82 of the French Data Protection Act;
  • the CNIL guidelines of 17 September 2020 on cookies and trackers and CNIL deliberation No 2020-091;
  • the recommendations of the European Data Protection Board (EDPB).

The Maloc Platform is aimed at two categories of Users with distinct legal statuses under the GDPR:

  • Renters (Loueurs): exclusively legal entities (French companies) or registered independent professionals (hereinafter the "Renters"). The data processed in respect of Renters includes data relating to the legal entity (company data) and personal data concerning their legal representatives and directors. The latter fall within the scope of the GDPR.

  • Tenants (Locataires): natural persons of legal age acting in a non-commercial capacity (hereinafter the "Tenants"). These individuals benefit from the full protection of the GDPR as consumers.

This Policy describes in a transparent and comprehensive manner: the data collected according to the User's profile, the purposes and legal bases for each processing operation, the retention periods, the recipients and processors, transfers outside the European Union, as well as the rights available to data subjects and the procedures for exercising them.

Article 1 — IDENTITY OF THE DATA CONTROLLER

1.1. Data Controller:

MALOC SASU
Simplified joint-stock company with sole shareholder (société par actions simplifiée unipersonnelle)
Share capital: EUR 1,000
SIREN: 985054923 — SIRET: 98505492300026
RCS Paris
Registered office: 15 quai aux fleurs, 75004 Paris
General email: contact@maloc.life
Website: https://maloc.fr / https://maloc.fr

1.2. Data Protection Officer (DPO):

Maloc has appointed a Data Protection Officer (DPO) in accordance with Article 37 of the GDPR:

Data Protection Officer — MALOC SASU
Email: dpo@maloc.life
Postal address: MALOC SASU, 15 quai aux fleurs, 75004 Paris
(Mail: "For the attention of the DPO — Confidential")

The DPO is the primary point of contact for any question relating to the protection of personal data and for the exercise of the rights of data subjects. The DPO is independent in the exercise of their functions and may not receive any instructions concerning their data protection duties.

Article 2 — SCOPE OF APPLICATION AND B2B / B2C DISTINCTION

2.1. Tenant data (natural persons — B2C)

Tenants are individual consumers within the meaning of the French Consumer Code. They benefit from the full protection of the GDPR as natural persons who are data subjects. All provisions of this Policy apply to them without restriction.

2.2. Renter data — legal entities (B2B)

Renters are legal entities. Data relating to the company as such (company name, SIRET, VAT number, registered office address) does not constitute personal data within the meaning of the GDPR.

However, the personal data of legal representatives, directors and employees of Renter companies (surname, first name, identity document, signature) constitutes personal data protected by the GDPR. This Policy applies to such data.

Specific legal basis: The processing of personal data of directors of Renter companies is based on two cumulative grounds:

  • Performance of the B2B contract concluded between Maloc and the Renter company (Art. 6(1)(b) GDPR), the director being the legal representative of the contracting party;
  • Legal obligation arising from KYC obligations under AML/CFT regulations (Anti-Money Laundering / Countering the Financing of Terrorism), in particular Ordinance No 2016-1635 of 1 December 2016 (Art. 6(1)(c) GDPR).

2.3. Dual capacity of Maloc

For certain processing operations, Maloc acts simultaneously in two distinct capacities:

  • Data Controller for data processed for its own purposes (platform management, billing, security);
  • Data Processor on behalf of Renters for processing carried out on their behalf via the Platform tools (messaging, vehicle inspection reports, reservation management), in accordance with Article 28 of the GDPR.

Article 3 — PERSONAL DATA COLLECTED

3.1. Data collected for Tenants (B2C)

3.1.1. Identity and contact data

  • Surname and first name
  • Date of birth (age verification)
  • Full postal address
  • Mobile phone number
  • Email address
  • Profile photograph (optional, uploaded by the User)

3.1.2. Identity verification data (Tenant KYC)

  • Copy of official identity document (national identity card or passport): front/back
  • Copy of driving licence (front/back): category(ies), date of issue, country of issue, number
  • OTP code received by email or SMS for authentication at each login and reservation

3.1.3. Payment data

  • Stripe transaction references (PaymentIntent, SetupIntent, Stripe Customer identifiers)
  • Transaction history (amounts, dates, statuses, refunds)
  • Maloc does not under any circumstances store credit card numbers, expiry dates or security codes; these data are processed exclusively by Stripe Technology Europe, Limited.

3.1.4. Reservation and usage data

  • Reservation dates and times, check-in and check-out
  • Vehicle pick-up and return location (static address provided at reservation)
  • Transaction amounts (rental price, service fees, authorised deposit)
  • Reservation statuses (pending, confirmed, in progress, completed, cancelled, dispute)
  • Reviews and ratings published on the Platform
  • Reservation history

3.1.5. Digital vehicle inspection data (check-in/check-out)

  • Time-stamped photographs of the Vehicle (up to 12 angles: exterior, interior, details, wheels, windows, roof)
  • Photograph metadata: precise timestamp (UTC), GPS coordinates of the location of the photograph (i.e., the Vehicle's location at the time of check-in or check-out)
  • Important note: These photographs are intended to document the condition of the Vehicle. Any incidental presence of an identifiable natural person in these photographs constitutes personal data. Maloc recommends that Renters and Tenants do not photograph identifiable third parties during the vehicle inspection. In the event of the presence of an identifiable person, the provisions applicable to personal data under Articles 5 to 17 GDPR apply to these images.
  • The geolocation data from vehicle inspection photographs corresponds exclusively to the static address of the Vehicle at the time of handover/return. Maloc does not carry out any continuous GPS tracking of the Vehicle during the rental period.

3.1.6. Communication data

  • Messages exchanged via the Platform's internal messaging system
  • Transactional emails (confirmations, reminders, reservation alerts)
  • Requests sent to customer service and history of exchanges

3.1.7. Technical connection data

  • Connection IP address
  • Browser type and version (user-agent), operating system
  • Connection logs (date, time, duration, pages visited, actions)
  • Session identifier
  • Performance and technical error data

3.2. Data collected for Renters (B2B — legal entities and their directors)

3.2.1. Data relating to the legal entity (not personal data within the meaning of the GDPR)

  • Company name, legal form
  • SIREN/SIRET number, intra-community VAT number
  • Registered office address and operating address
  • Generic professional contact details (company email, company telephone)
  • Kbis extract or equivalent registration document (company document)

3.2.2. Personal data of legal representatives and directors (GDPR applicable)

  • Surname, first name, position within the company
  • Copy of the official identity document of the legal representative (national identity card or passport): front/back — collected as part of KYC/AML/CFT obligations
  • Date of birth of the director (KYC identity verification)
  • Electronic signature of the legal representative
  • Personal professional email address (if different from the company email)
  • Personal professional telephone number (if different from the company telephone)

3.2.3. Professional documents relating to vehicles

  • Motor vehicle insurance certificates for each Vehicle (company document, but may mention names)
  • Professional civil liability insurance certificate
  • Vehicle registration certificates (certificat d'immatriculation)
  • Management mandate documents (for Concierge services)

3.2.4. Data relating to Vehicles

  • Vehicle photographs (exterior, interior)
  • Technical specifications (make, model, version, year, mileage, colour)
  • Registration number, VIN number
  • Rental rates configured by the Renter
  • Vehicle availability address(es) (static address, geocoded via HERE.com)
  • Vehicle rental history

3.2.5. Renter financial data

  • Bank details (IBAN) for payments via Stripe Connect
  • History of payments received (dates, amounts, references)
  • Pro Plan subscription billing data

3.2.6. Scoring and performance data

  • Number and seniority of completed reservations
  • Average rating received from Tenants
  • Punctuality rate (compliance with check-in and check-out times)
  • Cancellation rate by the Renter
  • Responsiveness to reservation requests
  • Quality and completeness of the profile and Listings

Article 4 — SIMPLIFIED REGISTER OF PROCESSING ACTIVITIES

In accordance with Article 30 of the GDPR, the following table presents comprehensively all processing operations carried out by Maloc:

| # | Processing | Data concerned | Data subjects | Legal basis (Art. 6 GDPR) | Retention period | Recipients | |---|---|---|---|---|---|---| | T01 | Creation and management of User account | Identity, email, telephone, password (hashed) | Renters (directors) + Tenants | Performance of contract — Art. 6(1)(b) | Duration of contractual relationship + 3 years | Maloc, Supabase | | T02 | OTP authentication (email/SMS) | Email or telephone, OTP code | Renters (directors) + Tenants | Performance of contract — Art. 6(1)(b) | Duration of session (OTP expires after 10 min) | Maloc, Supabase, Resend, SMS operator | | T03 | Tenant KYC — identity document + driving licence | National ID/passport, driving licence | Tenants | Performance of contract + legitimate interest (security, anti-fraud) — Art. 6(1)(b)(f) | 30 days after verification (except active dispute) | Maloc, Supabase | | T04 | Renter KYC — director identity document | National ID/passport of the legal representative | Directors of Renter companies | Performance of B2B contract + AML/CFT legal obligation — Art. 6(1)(b)(c) | 5 years after the end of the commercial relationship (Art. L561-12 French Monetary and Financial Code) | Maloc, Supabase | | T05 | Renter KYC — KBIS | Kbis extract (company data) | Legal entities (not GDPR for the company) | AML/CFT legal obligation — Art. 6(1)(c) | 5 years after the end of the commercial relationship | Maloc, Supabase | | T06 | Renter KYC — insurance certificates | Insurance certificates (company + professional liability) | Renter companies | Performance of contract + legitimate interest — Art. 6(1)(b)(f) | Duration of contract + 5 years (five-year general limitation period) | Maloc, Supabase | | T07 | Reservation and rental management | Identity, driving licence, vehicle, dates, location, amounts | Renters (directors) + Tenants | Performance of contract — Art. 6(1)(b) | 5 years after the last rental (limitation Art. 2224 French Civil Code) | Maloc, Supabase, Stripe, counterparty (Renter/Tenant) | | T08 | Payment processing | Stripe references, transaction history | Tenants (payments), Renters (payouts) | Performance of contract — Art. 6(1)(b) | 13 months after the transaction (PSD2) + 10 years (accounting) | Maloc, Stripe | | T09 | Deposit management (pre-authorisation) | Authorised amount, Stripe reference, status | Tenants | Performance of contract — Art. 6(1)(b) | 7 days after check-out (then release) + duration of any dispute | Maloc, Stripe | | T10 | Invoicing and accounting | Invoices, amounts, identity of parties | Renters (directors) + Tenants | Legal obligation — Art. 6(1)(c) (Art. L123-22 French Commercial Code) | 10 years from the date of issue | Maloc, accountant | | T11 | Digital vehicle inspection (check-in/check-out) | Time-stamped photos (12 angles), GPS of handover location, electronic signatures | Renters (directors) + Tenants (+ third parties if visible in photos) | Performance of contract + legitimate interest (evidence) — Art. 6(1)(b)(f) | 5 years from check-out | Maloc, Supabase, Cloudflare R2 | | T12 | Vehicle address geolocation | Static address of the availability location (geocoded) | Renters | Performance of contract — Art. 6(1)(b) | Duration of Listing publication | Maloc, HERE.com (geocoding) | | T13 | Internal messaging | Message content, identity of parties | Renters (directors) + Tenants | Performance of contract — Art. 6(1)(b) | 5 years after last use | Maloc, Supabase | | T14 | Transactional emails | Email address, transactional email content | Renters (directors) + Tenants | Performance of contract — Art. 6(1)(b) | 3 years after the end of the contractual relationship | Maloc, Resend | | T15 | Review and rating management | Review text, rating, author identity | Renters (directors) + Tenants | Legitimate interest (improving trust) — Art. 6(1)(f) | Duration of publication (max 5 years) unless deletion requested | Maloc, Supabase | | T16 | Renter scoring | Performance data (see §3.2.6), calculated score | Renters (legal entities + directors) | Legitimate interest — Art. 6(1)(f) | Duration of account + 1 year | Maloc (internal processing) | | T17 | Dispute management | All elements relevant to the dispute (reservation, photos, messages, identity) | Renters (directors) + Tenants | Legitimate interest + legal obligation — Art. 6(1)(c)(f) | 5 years from the final closure of the dispute (Art. 2224 French Civil Code) | Maloc, lawyers, insurers, courts | | T18 | Reporting of traffic offences | Driver identity, offence, vehicle | Renters (as responsible parties), Tenants | Legal obligation (Art. L121-6 French Road Traffic Code) — Art. 6(1)(c) | 5 years from the offence | Maloc, public authorities | | T19 | DAC7 obligations (tax declarations) | Renter identity, transaction amounts | Renters | Legal obligation (Directive (EU) 2021/514) — Art. 6(1)(c) | 10 years | Maloc, tax authority (DGFIP) | | T20 | Connection logs and security | IP address, user-agent, timestamp, actions | Renters (directors) + Tenants | Legal obligation (Art. 6 III LCEN) + legitimate interest — Art. 6(1)(c)(f) | 1 year | Maloc, Supabase, Hetzner | | T21 | Anonymised usage statistics | Aggregated and anonymised data (non-personal) | — (anonymised) | Legitimate interest — Art. 6(1)(f) | Indefinite (anonymised data, outside scope of GDPR) | Maloc | | T22 | Newsletter and marketing communications | Email, preferences | Renters (directors) + Tenants (if consent given) | Consent — Art. 6(1)(a) | Until withdrawal of consent, then deletion within 3 years | Maloc, Resend | | T23 | Analytical cookies | Session identifier, pages visited, browsing behaviour | Visitors, Renters, Tenants (if consent given) | Consent — Art. 6(1)(a) | 13 months maximum (CNIL recommendation) | Maloc, analytics tool | | T24 | Meta Pixel (targeted advertising) | Browser identifier, navigation events | Visitors, Renters, Tenants (if consent given) | Consent — Art. 6(1)(a) | 13 months maximum | Maloc, Meta Platforms, Inc. | | T25 | TTS speech synthesis (accessibility) | Textual data submitted to the TTS service (no identifying data transmitted) | Users (indirectly) | Legitimate interest (accessibility) — Art. 6(1)(f) | No retention (real-time processing, not stored) | Maloc, ElevenLabs, Inc. (if enabled) | | T26 | Data breach register | Nature of breach, affected data, measures taken | Data subjects affected by the breach | Legal obligation (Art. 33 GDPR) — Art. 6(1)(c) | 5 years | Maloc (internal register), CNIL | | T27 | Exercise of GDPR rights | Identity of the requester, nature of the request, response provided | Renters (directors) + Tenants | Legal obligation (Art. 12 GDPR) — Art. 6(1)(c) | 3 years (proof of compliance) | Maloc (DPO) |

Article 5 — DETAILED RETENTION PERIODS

5.1. Tenant data (B2C)

| Data category | Retention period | Justification | |---|---|---| | Account data (identity, email) | Duration of contractual relationship + 3 years | Post-contract commercial prospecting (Art. L223-1 CPCE) | | Identity document (national ID/passport) | 30 days after KYC verification | Data minimisation (Art. 5(1)(e) GDPR) — except active dispute | | Driving licence | 30 days after KYC verification — except ongoing reservation or dispute | Data minimisation | | Reservation data | 5 years after the last rental | General limitation period (Art. 2224 French Civil Code) | | Payment data (Stripe references) | 13 months after the transaction | PSD2 compliance (Directive (EU) 2015/2366) | | Invoices (accounting records) | 10 years from the date of issue | Art. L123-22 French Commercial Code | | Check-in/check-out photos | 5 years from check-out | Evidence in the event of a dispute over the condition of the vehicle | | Internal messages | 5 years after last use | Contractual evidence | | Connection logs | 1 year | Art. 6 III LCEN | | Cookies and trackers | 13 months maximum | CNIL recommendation of 17 September 2020 | | Dispute data | 5 years after final closure | Art. 2224 French Civil Code |

5.2. Data of Renter directors (B2B — natural persons)

| Data category | Retention period | Justification | |---|---|---| | Director identification data | Duration of commercial relationship + 5 years | Commercial limitation period (Art. L110-4 French Commercial Code) | | Identity document of the legal representative | 5 years after the end of the commercial relationship | AML/CFT obligation (Art. L561-12 French Monetary and Financial Code) | | Kbis extract | 5 years after the end of the commercial relationship | AML/CFT obligation | | Insurance certificates (vehicles + professional liability) | Duration of insurance contract + 5 years | Five-year general limitation period | | IBAN and Renter bank details | Duration of commercial relationship + 5 years | Commercial limitation period | | Scoring data | Duration of account + 1 year | Legitimate interest (performance history) | | Reservation / transaction data | 5 years after the last transaction | Commercial limitation period (Art. L110-4 French Commercial Code) | | Invoices (subscriptions, commissions) | 10 years from the date of issue | Art. L123-22 French Commercial Code | | DAC7 data | 10 years | Directive (EU) 2021/514 |

5.3. Data at the end of the contractual relationship

Upon deletion of the User's account or termination of the contractual relationship:

  1. Data is anonymised within thirty (30) days for data not subject to a legal retention obligation;
  2. Data subject to a legal obligation is archived with restricted access (DPO only) for the applicable legal period;
  3. Connection logs are deleted upon expiry of the one (1) year legal period;
  4. Data necessary for the defence of Maloc's rights in an ongoing dispute is retained until the final resolution of said dispute.

Article 6 — RECIPIENTS OF PERSONAL DATA

6.1. Sharing between transaction parties

In the context of each reservation, Maloc communicates to each party the information strictly necessary for the performance of the Rental Agreement, in accordance with the principle of data minimisation (Art. 5(1)(c) GDPR):

The Tenant receives:

  • Company name of the Renter and name of the operational contact person
  • Information and photographs of the Vehicle
  • Vehicle insurance certificate (truncated version)
  • Vehicle pick-up address
  • Renter's professional telephone number

The Renter receives:

  • Tenant's surname and first name
  • Tenant's mobile telephone number
  • Driving licence number (category, date of issue) — not the full copy
  • KYC verification status (validated / pending / refused) — without access to raw documents

6.2. Technical processors (Art. 28 GDPR)

All of Maloc's technical processors are bound by a Data Processing Agreement (DPA) in accordance with Article 28 of the GDPR:

| Processor | Role | Registered office | Effective data location | Mechanism for transfers outside the EU | |---|---|---|---|---| | Supabase Inc. | Main database, authentication, structured storage | San Francisco, USA | Frankfurt, Germany (EU) — region eu-central-1 | Data stored in the EU — no transfer outside the EU for Maloc data | | Hetzner Online GmbH | Application server hosting | Gunzenhausen, Germany (EU) | Germany (EU) | Intra-EU transfer — no mechanism required | | Cloudflare, Inc. | CDN, static file storage (R2), DDoS protection, WAF | San Francisco, USA | EU (for R2 Europe) + USA (global CDN network) | SCC (Decision 2021/914) + DPF (EU-US adequacy decision, 10 July 2023) | | Stripe Technology Europe, Limited | Payment processing, financial identity verification, Stripe Connect | Dublin, Ireland (EU) | EU + Stripe, Inc. (USA) for certain processing operations | SCC + DPF — Stripe DPF certified | | Resend, Inc. | Transactional email delivery | San Francisco, USA | USA | SCC (Decision 2021/914) | | Meta Platforms Ireland Limited | Meta Pixel — targeted advertising (if consent given) | Dublin, Ireland (EU) | EU + Meta, Inc. USA | SCC + DPF — Meta DPF certified | | HERE Global B.V. | Vehicle address geocoding (address to GPS coordinates conversion) | Eindhoven, Netherlands (EU) | EU | Intra-EU transfer — no mechanism required | | ElevenLabs, Inc. (if TTS feature enabled) | Text-to-Speech synthesis for accessibility | New York, USA | USA | SCC (Decision 2021/914) — non-identifying textual data |

HERE.com clarification: The HERE geocoding service is used exclusively to convert static Vehicle availability addresses into GPS coordinates, in order to display these Vehicles on the Platform map. No personal data of Tenants or Renter directors is transmitted to HERE.com.

ElevenLabs clarification: The text-to-speech feature, when enabled, receives only textual data relating to vehicle descriptions and service information. No identifying personal data (surname, first name, contact details) is transmitted to ElevenLabs.

6.3. Public authorities

Maloc may be required to communicate personal data to the competent authorities upon legal or judicial requisition:

  • Police or gendarmerie services in the context of a judicial investigation;
  • Tax authority (DGFIP) under DAC7 obligations;
  • CNIL in the context of its audit duties (Art. 47 French Data Protection Act);
  • Courts in the context of legal proceedings.

Maloc undertakes to make such communications only within the strict legal framework required, and to inform the User concerned to the extent possible and legally permitted.

6.4. No sale of data

Maloc formally and irrevocably undertakes never to sell, rent, assign for consideration or exchange the personal data of its Users with third parties for commercial purposes.

Article 7 — TRANSFERS OF DATA OUTSIDE THE EUROPEAN UNION

7.1. Principle of location within the European Union

Maloc endeavours to keep its Users' personal data within the European Union:

  • The main database (Supabase) is hosted in Frankfurt, Germany;
  • The application servers (Hetzner) are hosted in Germany;
  • Geocoding (HERE.com) is processed in the Netherlands (EU).

7.2. Transfers to the United States

Certain processors are established or operate partially in the United States. These transfers are governed in accordance with Articles 44 to 49 of the GDPR by the following mechanisms:

a) Data Privacy Framework (DPF) — European Commission adequacy decision of 10 July 2023 (C(2023) 4745):

  • Stripe, Inc. — DPF certified
  • Cloudflare, Inc. — DPF certified
  • Meta Platforms, Inc. — DPF certified

b) Standard Contractual Clauses (SCC) — Commission Implementing Decision (EU) 2021/914 of 4 June 2021:

  • Resend, Inc.
  • ElevenLabs, Inc.
  • Cloudflare, Inc. (SCC supplementary to DPF)

7.3. Supplementary protection measures

In accordance with the EDPB recommendations (Guidelines 05/2021 on transfers of personal data under the GDPR), Maloc implements the following supplementary measures:

  • Encryption of data in transit via TLS 1.3 (minimum TLS 1.2) for all communications;
  • Encryption of data at rest for sensitive data (identity documents, KYC data);
  • Pseudonymisation of data in development and testing environments;
  • Principle of minimisation: only data strictly necessary is transmitted to processors outside the EU.

7.4. International transfer register

Maloc maintains an international data transfer register in accordance with Article 30(1)(e) of the GDPR. This register is available upon reasoned request sent to dpo@maloc.life.

Article 8 — RIGHTS OF DATA SUBJECTS

In accordance with Articles 15 to 22 of the GDPR, every data subject — including directors of Renter companies with regard to their personal data — has the following rights:

8.1. Right of access (Art. 15 GDPR)

Every data subject may obtain confirmation that their data is being processed by Maloc, and access all such data, together with information on the purposes, recipients, retention periods and available rights. A copy of the data may be provided in a readable format.

8.2. Right to rectification (Art. 16 GDPR)

Inaccurate data may be rectified directly from the personal account area or by request to the DPO. For KYC data (expired identity documents, change of director), the User is invited to submit updated documents via the Platform.

8.3. Right to erasure — "Right to be forgotten" (Art. 17 GDPR)

Every data subject may request the erasure of their data when:

  • The data is no longer necessary in relation to the purposes for which it was collected;
  • Consent has been withdrawn and there is no other legal basis;
  • A valid objection has been exercised (Art. 21 GDPR);
  • The data has been unlawfully processed.

Limitations of this right: Erasure cannot be granted where processing is necessary for compliance with a legal retention obligation (accounting data, AML/CFT), for the establishment or defence of legal claims, or for archiving purposes in the public interest.

8.4. Right to data portability (Art. 20 GDPR)

Data processed on the basis of contract or consent may be retrieved in a structured, commonly used and machine-readable format (JSON or CSV). This right applies to Tenants and to Renter directors for their personal data.

8.5. Right to object (Art. 21 GDPR)

Every data subject may object at any time:

  • To processing based on Maloc's legitimate interest, on grounds relating to their particular situation — Maloc must then demonstrate compelling legitimate grounds prevailing over the interests of the data subject;
  • To direct marketing (absolute right of objection, no justification required);
  • To inclusion in the Renter scoring system (see Article 11).

The objection to direct marketing may be exercised directly from the account notification settings or by writing to dpo@maloc.life.

8.6. Right to restriction of processing (Art. 18 GDPR)

Restriction of processing may be requested in particular:

  • Where the accuracy of the data is contested, for the duration of Maloc's verification;
  • Where the processing is unlawful and the data subject opposes erasure;
  • Where Maloc no longer needs the data but the data subject requires it for the establishment of legal claims.

8.7. Right to withdraw consent (Art. 7(3) GDPR)

Withdrawal of consent (cookies, marketing) may be exercised at any time, without affecting the lawfulness of processing carried out prior to withdrawal. Withdrawal is effected via the cookie management banner or by email to dpo@maloc.life. Withdrawal takes effect within a maximum period of 72 hours.

8.8. Right to lodge a complaint with the CNIL (Art. 77 GDPR)

Every data subject may lodge a complaint with the competent supervisory authority:

CNIL — Commission Nationale de l'Informatique et des Libertés
3 Place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07
Telephone: +33 (0)1 53 73 22 22
Website: https://www.cnil.fr
Online form: https://www.cnil.fr/fr/plaintes

8.9. Practical arrangements for exercising rights

How to exercise your rights:

  • By email: dpo@maloc.life (subject: "Exercise of GDPR rights — [Nature of the right]")
  • By post: MALOC SASU, 15 quai aux fleurs, 75004 Paris — For the attention of the DPO (confidential)
  • Via the personal account area on the Platform for directly accessible rights (rectification, marketing objection)

Response time: Maloc undertakes to respond within thirty (30) calendar days of receipt of the request (Art. 12(3) GDPR). This period may be extended by two (2) additional months in the event of complexity or a high number of requests, with reasoned notification within the initial thirty-day period.

Identity verification: A copy of an identity document may be requested to process sensitive requests, in order to prevent fraudulent access. This document is deleted once the request has been processed.

Free of charge: The exercise of rights is free of charge. In the event of manifestly unfounded or excessive requests (abusive frequency), Maloc may charge a reasonable fee or refuse to act, with reasoned notification (Art. 12(5) GDPR).

Article 9 — PROFILING AND AUTOMATED DECISIONS

9.1. Renter scoring system

Maloc uses an automated scoring system to assess the quality of service of Renters on the Platform. This score is calculated on the basis of objective performance criteria:

| Criterion | Indicative weighting | |---|---| | Average rating received from Tenants | Significant | | Punctuality rate (check-in/check-out) | Significant | | Cancellation rate by the Renter | Significant | | Responsiveness to reservation requests | Moderate | | Quality and completeness of the profile and Listings | Moderate | | Number and seniority of reservations | Moderate | | Dispute resolution rate in favour of the Tenant | Significant |

Legal basis: Legitimate interest of Maloc (Art. 6(1)(f) GDPR) — improving service quality and protecting Tenants. Maloc has carried out a balancing test confirming that this interest prevails over the interests of Renters, given the professional nature of the latter and the limited effects of the scoring.

Effects of scoring:

  • Influence on the ranking of Listings in search results;
  • An insufficient score may trigger a verification or warning procedure;
  • The score does not lead to automatic account termination (see §9.3).

9.2. Right to opt out of scoring

Any Renter may object to the inclusion of their data in the scoring system by sending a request to dpo@maloc.life. In the event of a valid objection, the Renter will be excluded from the score-based ranking system, which may result in reduced visibility of their Listings in search results. Maloc will inform the Renter of the practical consequences of their objection before implementing it.

9.3. No solely automated decision producing legal effects

In accordance with Article 22 of the GDPR, Maloc undertakes not to take any decision producing significant legal effects — including account termination, permanent suspension, access prohibition — on the sole basis of fully automated processing, without human intervention. Any decision to suspend or ban an account is subject to prior human review by Maloc's Trust & Safety team.

9.4. Right to explanation and right to contest

Any User affected by a decision involving automated processing has:

  • The right to obtain an explanation of the logic of the processing and the criteria used (Art. 22(3) GDPR);
  • The right to contest the decision before a human representative of Maloc;
  • The right to express their point of view before the decision becomes final.

These rights are exercised by sending a request to dpo@maloc.life or via the internal appeal procedure provided in the Terms and Conditions.

Article 10 — DATA SECURITY

10.1. Technical and organisational measures (Art. 32 GDPR)

Maloc implements appropriate security measures in view of the risks identified during the Data Protection Impact Assessment (DPIA):

Technical measures:

  • Encryption in transit: TLS 1.3 (minimum TLS 1.2) for all communications between Users and the Platform (mandatory HTTPS);
  • Encryption at rest: AES-256 encryption of sensitive data (identity documents, KYC data) in databases;
  • Strong authentication: OTP authentication (one-time code by email or SMS) for each login and sensitive action;
  • Password hashing: Storage in hashed form using bcrypt (cost >= 12);
  • Environment isolation: Strict separation of production, staging and development environments;
  • Pseudonymisation: Use of pseudonymised data in testing environments.

Organisational measures:

  • Access control: Principle of least privilege — access to personal data strictly limited to authorised persons according to their role;
  • Logging: Logs of access to sensitive data, retained for one (1) year, enabling the detection of unauthorised access;
  • Backups: Regular encrypted backups (daily), stored in secure environments geographically separate from production;
  • Training: Annual training of Maloc teams on data protection best practices;
  • Access review: Quarterly review of data access authorisations.

10.2. Data breach — Procedure (Art. 33-34 GDPR)

In the event of a personal data breach (unauthorised access, destruction, loss, alteration, unauthorised disclosure), Maloc applies the following procedure:

Step 1 — Detection and qualification (H+0 to H+4):

  • Identification of the nature of the breach and the data affected;
  • Assessment of the likelihood of risk to the rights and freedoms of data subjects;
  • Activation of the internal crisis team.

Step 2 — Notification to the CNIL (within 72 hours):

  • In accordance with Article 33 of the GDPR, Maloc notifies the CNIL within seventy-two (72) hours of becoming aware of a breach likely to result in a risk to the rights and freedoms of data subjects;
  • The notification includes: the nature of the breach, the categories and approximate number of data subjects concerned, the data affected, the likely consequences, the measures taken or proposed;
  • If the notification cannot be complete within the 72-hour period, an initial notification is sent and completed without undue delay.

Step 3 — Notification to data subjects (if high risk):

  • In accordance with Article 34 of the GDPR, Maloc informs without undue delay the data subjects concerned when the breach is likely to result in a high risk to their rights and freedoms (e.g.: identity theft, discrimination, financial harm);
  • The communication describes in clear terms the nature of the breach, the data affected, the likely consequences and the measures taken to remedy it;
  • The communication is made via the email associated with the User's account and, if applicable, via in-app notification.

Step 4 — Logging:

  • Every data breach is documented in the internal breach register (Art. 33(5) GDPR), retained for five (5) years, whether or not it was notified to the CNIL.

Article 11 — GEOLOCATION AND PHOTOGRAPHS

11.1. Vehicle geolocation — Static address only

The Maloc Platform uses geolocation data in the following contexts:

  • Map display of Listings: The Vehicle availability address, entered by the Renter, is geocoded via the HERE.com service (address to GPS coordinates conversion) to display the Vehicle on the search map. This is a static address chosen by the Renter, not a real-time position.

  • GPS metadata from vehicle inspection photographs: The GPS coordinates extracted from check-in/check-out photographs correspond to the geographical position of the Vehicle handover or return location at the time the photograph was taken. These coordinates serve to timestamp and geolocate the vehicle inspection for evidentiary value.

Maloc does not under any circumstances:

  • Carry out continuous or periodic GPS tracking of the Vehicle during the rental period;
  • Collect the real-time geographical position of the Tenant or Renter via the Platform;
  • Engage in any form of surveillance of Users' mobility.

11.2. Vehicle inspection photographs — Processing of potentially sensitive data

The vehicle inspection photographs (check-in/check-out) are intended exclusively to document the condition of the Vehicle. These photographs may incidentally capture identifiable natural persons (passers-by, other persons present during the vehicle inspection).

Applicable measures:

  • Maloc expressly recommends that parties do not photograph identifiable third parties during the vehicle inspection;
  • In the event of the presence of an identifiable person in a photograph, this image constitutes personal data within the meaning of the GDPR and is subject to the corresponding protections;
  • Identifiable persons appearing incidentally in these photographs may exercise their right of access and deletion with the DPO (dpo@maloc.life), subject to evidentiary retention obligations;
  • Access to photographs is strictly limited: the transaction parties (Renter and Tenant) have access, as do Maloc and, where applicable, the competent authorities in the context of a dispute.

Retention period: 5 years from check-out (evidentiary value in case of dispute over the condition of the Vehicle).

Article 12 — COOKIES AND TRACKERS

12.1. Applicable regulatory framework

The management of cookies and trackers is governed by:

  • Directive 2002/58/EC concerning privacy in electronic communications (ePrivacy);
  • Article 82 of the French Data Protection Act (French transposition of the ePrivacy Directive);
  • the CNIL recommendations of 17 September 2020 on cookies and trackers (deliberation No 2020-091);
  • the EDPB guidelines on consent (Guidelines 05/2020).

12.2. Principle of prior consent

In accordance with Article 82 of the French Data Protection Act, only cookies strictly necessary for the operation of the Platform may be deposited without the prior consent of the User. All other cookies require free, specific, informed and unambiguous consent (Art. 4(11) GDPR).

12.3. No cookie wall — Free access without consent to non-essential cookies

In accordance with the CNIL guidelines and EDPB case law, refusal of non-essential cookies cannot be a condition of access to the Platform. Any User may access and use all the functionalities of the Maloc Platform without accepting analytical or marketing cookies. The absence of a cookie wall is a fundamental guarantee of the freedom of consent.

12.4. Symmetry of consent and refusal

In accordance with the 2020 CNIL guidelines, refusing cookies must be as easy as accepting them. The Platform's cookie management interface offers:

  • An "Accept all" button and a "Refuse all" button with equivalent presentation and accessibility;
  • The possibility of granular configuration by cookie category;
  • No additional navigation constraint to access the refusal button.

12.5. Table of cookies used

a) Strictly necessary cookies — Exempt from consent (Art. 82 French Data Protection Act)

| Name / Identifier | Publisher | Purpose | Lifespan | |---|---|---|---| | sb-[project]-auth-token | Maloc (Supabase) | Maintaining the User's authenticated session | Session duration | | csrf_token | Maloc | Protection against Cross-Site Request Forgery (CSRF) attacks | Session duration | | user_prefs | Maloc | Storing display preferences (language, time zone) | 13 months |

These cookies are essential for the technical operation of the Platform. Disabling them would render the Platform unusable or insecure. They do not collect data for behavioural tracking purposes.

b) Analytical cookies — Consent required

| Tool | Publisher | Purpose | Lifespan | Legal basis | |---|---|---|---|---| | Analytics tool (to be specified at deployment) | To be specified | Anonymised audience measurement: pages visited, session duration, bounce rate — aggregated and anonymised data | 13 months maximum | Consent — Art. 6(1)(a) GDPR + Art. 82 French Data Protection Act |

If the collected data is strictly aggregated and anonymised, Maloc may seek a consent exemption from the CNIL in accordance with its deliberation No 2022-253 of 19 July 2022 (analytical audience measurement cookies exempt).

c) Marketing and advertising cookies — Consent required

| Tool | Publisher | ID / Identifier | Purpose | Lifespan | Legal basis | |---|---|---|---|---|---| | Meta Pixel | Meta Platforms Ireland Limited | Pixel ID: 1605202037392588 | Measuring the effectiveness of Meta advertising campaigns (Facebook, Instagram), advertising retargeting, creation of lookalike audiences | 13 months maximum | Consent — Art. 6(1)(a) GDPR + Art. 82 French Data Protection Act |

The Meta Pixel is inactive by default. It is only loaded and deposits cookies after the explicit consent of the User has been obtained. In the event of refusal or absence of choice, no Meta cookie is deposited and no tracking identifier is transmitted to Meta Platforms.

12.6. Cookie management interface (Consent Management Platform)

A cookie management banner compliant with CNIL recommendations is displayed on each first visit to the Platform and upon any substantial modification of the cookies used. The User may at any time modify their preferences via the "Manage my cookies" link available at the bottom of each page of the Platform.

12.7. Duration of consent validity

Consent is valid for a maximum period of thirteen (13) months. Upon expiry of this period, the banner is presented to the User again for renewal. In the absence of renewal, non-essential cookies are automatically deactivated.

12.8. Third-party cookies

Certain cookies may be deposited directly by third parties (Meta Platforms) on the User's device. Maloc has no direct control over these third-party cookies once consent has been given. Users are invited to consult the privacy policies of the relevant third parties:

  • Meta Platforms: https://www.facebook.com/privacy/policy/

Article 13 — MINORS

13.1. The Maloc Platform is reserved exclusively for natural persons aged at least eighteen (18) years. Maloc does not knowingly collect personal data relating to minors.

13.2. The User who creates an account on the Platform certifies that they are of legal age. In the event of discovery that data of a minor has been collected, Maloc shall proceed to delete such data as soon as possible and without undue delay.

13.3. Parents or legal guardians of a minor whose data may have been collected may request immediate deletion by contacting the DPO at dpo@maloc.life.

Article 14 — RESPECTIVE ROLES OF RENTER / MALOC (ART. 26-28 GDPR)

14.1. Maloc as Data Controller

Maloc is the Data Controller for all processing operations carried out for its own purposes: platform management, invoicing, security, Renter scoring, legal obligations.

14.2. Maloc as Data Processor for Renters

For processing operations carried out on behalf of Renters via the Platform tools (internal messaging, vehicle inspection management, rental contract storage), Maloc acts as Data Processor within the meaning of Article 28 of the GDPR. In this context:

  • A Data Processing Agreement (DPA) between Maloc and each Renter formalises the respective obligations;
  • Maloc processes this data only on documented instructions from the Renter;
  • Maloc does not sub-process this data to third parties except through the processors listed in Article 6.2.

14.3. Obligations of Renters as Data Controllers

Professional Renters, as Data Controllers for their own rental activities, are required to:

  • Inform their customers (Tenants) of their own data processing operations in accordance with Articles 13 and 14 of the GDPR;
  • Have a valid legal basis for each personal data processing operation they carry out;
  • Comply with the applicable retention periods for their own processing operations;
  • Guarantee the rights of data subjects for the processing operations for which they are responsible.

Article 15 — DATA PROTECTION IMPACT ASSESSMENT (DPIA)

In accordance with Article 35 of the GDPR, Maloc has carried out or will carry out a Data Protection Impact Assessment (DPIA) for processing operations likely to result in a high risk to the rights and freedoms of individuals, in particular:

  • Processing of identity documents and KYC data (large scale, sensitive data);
  • Renter scoring system (profiling);
  • Vehicle inspection photographs with GPS data.

The conclusions of these DPIAs are documented and held by the DPO. They may be transmitted to the CNIL upon request.

Article 16 — RECORD OF PROCESSING ACTIVITIES (ART. 30 GDPR)

16.1. In accordance with Article 30 of the GDPR, Maloc maintains and keeps up to date a record of processing activities. This record, maintained by the DPO, documents:

  • The name and contact details of the Data Controller and DPO;
  • The purposes of the processing operations;
  • The categories of data subjects and data;
  • The categories of recipients;
  • Transfers to third countries and applicable safeguards;
  • Retention periods;
  • A general description of security measures.

16.2. This record is available upon reasoned request sent to dpo@maloc.life, under the conditions provided by the CNIL, in particular in the context of a CNIL request or a data subject wishing to verify its existence.

Article 17 — AMENDMENTS TO THE PRIVACY POLICY

17.1. Maloc reserves the right to amend this Policy at any time, in particular to adapt to legal or regulatory developments (new CNIL, EDPB recommendations), or to new data processing practices.

17.2. In the event of a substantial amendment (new purposes, new processors, change of legal basis, new transfers outside the EU), Maloc shall notify Users by email to the address associated with their account, at least thirty (30) days before the effective date of the amendments.

17.3. If the amendments require new consent (e.g.: new consent-based processing), Maloc shall obtain this consent prior to the implementation of the new processing.

17.4. In the event of refusal of amendments involving a change to the contract, the User may exercise their right to delete their account. Maloc shall then process the remaining data in accordance with legal retention obligations.

17.5. Successive versions of this Policy are archived by the DPO and available upon request at dpo@maloc.life. A version history may also be consulted at the bottom of the Policy page on the Platform.

Article 18 — CONTACT AND EXERCISE OF RIGHTS

For any question relating to this Policy or to exercise your data protection rights:

Data Protection Officer (DPO)

MALOC SASU — For the attention of the DPO
15 quai aux fleurs, 75004 Paris
Email: dpo@maloc.life
(Recommended subject: "Exercise of GDPR rights — [Nature of your request]")

General customer service

Email: contact@maloc.life

Competent supervisory authority

CNIL — Commission Nationale de l'Informatique et des Libertés
3 Place de Fontenoy — TSA 80715 — 75334 Paris Cedex 07
Telephone: +33 (0)1 53 73 22 22
Website: https://www.cnil.fr
Online complaint: https://www.cnil.fr/fr/plaintes

ANNEX A — GLOSSARY

| Term | Definition | |---|---| | GDPR | Regulation (EU) No 2016/679 of 27 April 2016 — General Data Protection Regulation | | French Data Protection Act | Loi Informatique et Libertés No 78-17 of 6 January 1978, as amended | | ePrivacy | Directive 2002/58/EC concerning the processing of data and the protection of privacy in electronic communications | | CNIL | Commission Nationale de l'Informatique et des Libertés — French supervisory authority | | EDPB | European Data Protection Board — European coordination body | | DPO | Data Protection Officer | | KYC | Know Your Customer — identity verification and compliance process | | AML/CFT | Anti-Money Laundering / Countering the Financing of Terrorism | | SCC | Standard Contractual Clauses adopted by the European Commission | | DPF | Data Privacy Framework — EU-US data protection framework (2023 adequacy decision) | | DPA | Data Processing Agreement (Art. 28 GDPR) | | DPIA | Data Protection Impact Assessment (Art. 35 GDPR) | | OTP | One-Time Password — single-use code for authentication | | DAC7 | Directive (EU) 2021/514 — reporting obligation for digital platforms to tax authorities | | PSD2 | Directive (EU) 2015/2366 — payment services in the internal market | | CDN | Content Delivery Network | | TLS | Transport Layer Security — communications encryption protocol (HTTPS) | | WAF | Web Application Firewall |

ANNEX B — LEGAL REFERENCE FRAMEWORK

This Policy is based on the following texts:

European Union:

  • Regulation (EU) No 2016/679 of 27 April 2016 (GDPR)
  • Directive 2002/58/EC of 12 July 2002 (ePrivacy)
  • Regulation (EU) 2022/2065 of 19 October 2022 (DSA — Digital Services Act)
  • Directive (EU) 2015/2366 of 25 November 2015 (PSD2)
  • Directive (EU) 2021/514 of 22 March 2021 (DAC7)
  • Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (SCC)
  • Adequacy decision C(2023) 4745 of 10 July 2023 (EU-US DPF)

France:

  • Act No 78-17 of 6 January 1978 (Informatique et Libertés), as amended
  • Ordinance No 2018-1125 of 12 December 2018
  • Act No 2004-575 of 21 June 2004 (LCEN)
  • Ordinance No 2016-1635 of 1 December 2016 (AML/CFT)
  • Article L561-12 of the French Monetary and Financial Code (AML/CFT retention)
  • Article L123-22 of the French Commercial Code (accounting retention)
  • Article 2224 of the French Civil Code (five-year general limitation period)
  • Article L110-4 of the French Commercial Code (commercial limitation period)
  • Article L121-6 of the French Road Traffic Code (driver designation)
  • Article L111-7 of the French Consumer Code (platform operator)

Recommendations and guidelines:

  • CNIL deliberation No 2020-091 of 17 September 2020 (cookies and trackers)
  • CNIL deliberation No 2022-253 of 19 July 2022 (analytical cookies exemption)
  • EDPB Guidelines 05/2020 on consent (revised version of 4 May 2020)
  • EDPB Guidelines 05/2021 on transfers of personal data
  • EDPB Guidelines 01/2022 on the rights of data subjects

MALOC SASU — Privacy Policy — Version 2.0 — 22 March 2026
Drafted by: DPO Maloc (dpo@maloc.life)
Next planned revision: March 2027