Personal Data Protection Policy

This policy aims to inform any natural person whose data is processed by Quarzo Life about how their personal data is collected, used, protected and processed as part of its activities, in accordance with Regulation (EU) 2016/679 of 27 April 2016 (GDPR), Law No. 78-17 of 6 January 1978 as amended, the applicable provisions of the French Insurance Code, and sector-specific obligations relating to the prevention of money laundering and terrorist financing (AML/CFT).

Quarzo Life, a public limited company with a board of directors, registered with the Paris Trade and Companies Register under number 101 015 956, whose registered office is located at 16 rue Vignon, 75009 Paris, is an insurance undertaking authorized and supervised by the Autorité de Contrôle Prudentiel et de Résolution (ACPR).

This policy applies to any natural person whose data is processed by Quarzo Life, including:

• policyholders,
• insured persons,
• beneficiaries,
• prospects,
• candidates,
• legal representatives,
• website visitors,
• users of client spaces.

The data controller responsible for processing personal data is:

Quarzo Life

16 rue Vignon – 75009 Paris

Paris Trade and Companies Register 101 015 956

For any questions regarding data processing: dpo@quarzo-life.com

Quarzo Life may collect personal data in the following situations:

• request for information or contact through the website,
• newsletter subscription,
• private messages sent through social networks,
• subscription to a life insurance policy,
• conclusion and performance of a contract,
• use of workspaces, the mobile application and APIs,
• use of the Sandbox testing environment,
• compliance with regulatory obligations,
• management of payments and collections,
• submission of a job application,
• performance of legal and regulatory obligations and pursuit of Quarzo Life’s legitimate interests.

Quarzo Life may collect the following categories of personal data:

• identification data: surname, first names, date and place of birth, nationality, postal address, email address, telephone number,
• documentary data: identity document copy, proof of address, tax residence, tax identification number (TIN), business documents such as invoices or contracts,
• biometric data: biometric elements extracted from photos or videos for remote identity verification performed by payment service providers,
• financial and wealth data: IBAN, professional situation, income, overall wealth, origin of funds, results of suitability and risk appetite questionnaires,
• data relating to insured persons and beneficiaries transmitted by the policyholder,
• AML/CFT and compliance data: sanctions screening results, politically exposed persons (PEP) checks, risk indicators and internal alerts,
• technical and usage data: IP addresses, logs, client area access logs and security-related technical data.

All collected information is processed lawfully and fairly, recorded for specific and legitimate purposes, used only in accordance with those purposes, adequate and relevant, and protected by appropriate security measures.

The website, blog and workspaces use Simple Analytics, a privacy-friendly analytics tool that does not collect personal data and does not require consent.

Only cookies strictly necessary for the operation of the website, workspaces and API are used.

Personal data is processed for the following purposes:

Performance of contractual obligations

• subscription and management of life insurance contracts,
• collection of premiums,
• execution of payments and redemptions,
• management of payers, insured persons and beneficiaries,
• client area access and administration,
• API provision,
• service billing,
• implementation of necessary security measures.

Compliance with legal and regulatory obligations

• biometric analysis of official identity documents,
• anti-money laundering and counter-terrorism financing obligations (AML/CFT),
• international sanctions screening,
• identification of politically exposed persons (PEPs),
• TRACFIN reporting obligations,
• tax reporting obligations,
• ACPR prudential supervision requirements,
• regulatory archiving,
• responses to requests from French and European authorities.

Pursuit of legitimate interests

• fraud prevention and detection,
• system security,
• complaint management,
• service improvement.

Explicit consent of data subjects

• processing of job applications,
• sending commercial communications,
• sending newsletters and informational emails,
• responding to social media requests.

In accordance with regulatory requirements applicable to life insurance products, Quarzo Life performs an investor profile assessment based on the information provided.

This analysis ensures the suitability of the contract and its financial allocation with the subscriber’s profile.

Quarzo Life may share personal data with the following recipients where necessary:

Authorized internal services

Only authorized employees bound by strict confidentiality obligations.

Service providers and subcontractors

• Memo Bank: premium collection and payment execution,
• Goodflag (Lex Persona): electronic signature of contracts and documents,
• Fincraft: logging and audit of the production environment,
• Brevo: newsletter distribution,
• Join: candidate management.

These providers act solely on Quarzo Life’s instructions.

Ministerial officers and legal auxiliaries

• notaries for succession procedures and identification of life insurance contracts,
• bailiffs or lawyers when necessary.

Professional organizations and authorized third parties

• AGIRA for the search of unclaimed life insurance beneficiaries,
• insurance professional organizations for fraud prevention.

Administrative and judicial authorities

• ACPR and CNIL for supervisory purposes,
• TRACFIN under AML/CFT obligations,
• tax authorities.

No commercial sale of personal data is carried out.

Data is hosted on Quarzo Life servers located within the European Union and within data centers governed by European standards.

No data transfers outside the European Union are carried out for insurance contract management.

Personal data is retained for periods compliant with legal and regulatory requirements applicable to the insurance sector.

• contractual data: 5 years after the end of the relationship,
• AML/CFT data: 5 years after the end of the relationship,
• accounting data: 10 years,
• prospect data: 3 years after the last contact,
• technical logs: 1 year.

Quarzo Life implements appropriate technical and organizational measures, including:

• encryption of sensitive data,
• strict access control,
• secure authentication,
• access logging,
• daily off-site backups,
• system security monitoring,
• network filtering,
• incident management procedures,
• regular staff training.

Authorized persons processing data are subject to confidentiality obligations.

In accordance with applicable regulations, individuals have the following rights:

• right of access to obtain information and a copy of personal data,
• right to rectification of inaccurate or incomplete data,
• right to erasure within legal limits,
• right to restriction of processing,
• right to object, particularly to marketing communications,
• right to data portability where applicable,
• right to withdraw consent at any time where processing is based on consent.

These rights may be exercised by written request with proof of identity sent to dpo@quarzo-life.com.

Quarzo Life reserves the right to modify this policy at any time to reflect regulatory, technical or organizational changes.

If substantial modifications affect user rights, active client space users will be informed by email at least 30 days before the changes take effect.

For any questions regarding this personal data protection policy, users may send a request by email.

Users may also lodge a complaint with the French Data Protection Authority (CNIL).