Privacy Policy

DATA PROTECTION POLICYPRIVACY POLICY Effective Date: October 26, 2021 CIRCLES takes the protection of your personal data very seriously. We have developed this policy to inform you of the conditions under which we collect, process, use and protect your personal data. Please read them carefully in order to familiarize yourself with the categories of personal data which are the subject of collection and processing, the way in which we use this data and with whom we may share it. This policy also describes your rights and how you can contact us to exercise these rights or to ask us any questions you may have regarding the protection of your personal data. This privacy policy may be modified, supplemented or updated, to comply with any legal development, regulatory, jurisprudential or technical that may arise. However, your personal data will always be treated in accordance with the policy in force at the time of data collection, unless a compulsory legal prescription provides otherwise and must be applied retroactively. In addition to this privacy policy, the use of the Website and services requires acceptance of the conditions of use of the Website. DEFINITIONS “Personal data”: any information concerning an identified natural person or who can be identified directly or indirectly by reference to an identification number or to one or more factors specific to that person. “Beneficiary”: persons designated by the Customer as beneficiary of Circles concierge services. “We” or “our”: CIRCLES (hereinafter “Circles”), 800 South Street, Suite 195, Waltham, MA 02451, represented by Circle Company Associates, Inc. a subsidiary of Sodexo, Inc. (hereinafter “Sodexo“). “You”: any user / visitor to the website. “Website”: the Circles websites available at www.circles.com and my.circles.com as well as any client website hosted under a domain managed by Circles. COLLECTION AND SOURCE OF PERSONAL DATA We will most likely collect your personal data directly (in particular via the data collection forms on our Website) or indirectly (in particular via our service providers and / or technologies on our Website, or data communicated by your employer). We are committed to obtaining your consent and/or allowing you to refuse the use of your data for certain purposes whenever necessary. In any event, you will be informed of the purposes for which your data is collected. TYPES OF PERSONAL DATA WE COLLECT AND USE We may specifically collect and process the following types of personal data:

• the information you provide when filling out the Website forms (for example, to subscribe, participate in surveys, for marketing purposes, etc.
• the information you provide for authentication purposes;
• the information you provide for the fulfillment of an order or to provide a service; and
• through “messages”, comments or other content that you post on the Website.

Personal data identified by an asterisk in the data collection forms is mandatory because it is necessary for the execution of past requests. In the absence of this mandatory information, these requests cannot be processed. PERSONAL DATA WE COLLECT AUTOMATICALLY We automatically collect certain information when you visit our Website to personalize and improve your experience. We collect this information using various methods such as Cookies. Cookies Some of our websites may use “cookies.” Cookies are portions of text that are placed on your computer’s hard drive when you visit certain websites. We may use cookies to tell us, for example, whether you have visited us before or if you are a new visitor and to help us identify features in which you may have the greatest interest. Cookies may enhance your online experience by saving your preferences while you are visiting a website. We will let you know when you visit our websites what types of cookies we use and how to disable such cookies. When required by law, you will have the ability to visit our websites and refuse the use of cookies at any time on your computer. For more information, please consult our Cookie Policy. Cookies – California’s Do Not Track Notice Our Website does not support “Do Not Track” browser settings and does not currently participate in any Do Not Track frameworks that would allow any of our Website to respond to signals or other mechanisms from you regarding the collection of your personal data. IP addresses An IP address is a unique identifier used by certain electronic devices to identify and communicate with each other on the Internet. When you visit our Website, we may use the IP address of the device you use to connect to the Website. We use this information to determine the general physical location of the device and to know in which geographic areas our visitors are located. Statistics Our Website uses Google Analytics to generate statistical reports. These reports tell us, for example, how many users have visited our Website, what pages have been visited, and in what geographic areas users of the Website are located. Information collected through statistics may include, for example, your IP address, the website from which you came to our Website and the type of device you used. Your IP address is hidden on our systems and will only be used when necessary to solve a technical problem, for the administration of the Website and to know the preferences of our users. Information on Website traffic is only accessible by authorized personnel. Social media You can click on the dedicated icons of social networks such as Twitter, Facebook, LinkedIn, etc. that appear on our Website. Social networks create a more friendly atmosphere on the Website and help promote the Website through sharing. Video sharing services enrich the video content of our Website and increase its visibility. When you click on these buttons, we may have access to the personal information that you have made public and accessible via your profiles on the social networks in question. We do not create or use any separate database from these social networks on the basis of the personal information you have published there, and we do not process any data relating to your privacy by these means. PURPOSES FOR WHICH WE USE PERSONAL DATA We use your personal data for the following purposes:

• to respond to your requests such as requests for information, research, newsletter or other content;
• to provide the services and offers ordered on our Website and / or in one of our establishments;
• to conduct surveys and collect statistics;
• to personalize and improve your experience on our Website;
• offer you our products and services and / or those of our partners; and
• any other purpose of which we will inform you, if necessary, when we collect your data.

We do not sell, as defined under the California Consumer Protection Act of 2018 (“CCPA”), your personal data to third parties. LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA We process your personal data as part of the execution and management of our contractual relationship with you, in our legitimate interest to improve the quality and operational excellence of the services we offer you or in accordance with certain regulatory obligations. Your personal data may also be processed based on your prior consent if, in certain circumstances, your consent is required. DISCLOSURE OF PERSONAL DATA The security and confidentiality of your personal data is of great importance to us. Therefore, we limit access to your personal data to only members of our staff who need it to process your orders or provide the requested service. We will not disclose your personal data to unauthorized third parties. However, we may be required to share your personal data with entities of the Sodexo group and with authorized service providers (for example: technical providers [hosting, maintenance], consultants, etc.) to which we can call in the context of our benefits. We do not allow our service providers to use or disclose your data, except to the extent necessary to provide services on our behalf or to comply with legal obligations. In addition, we may share personal data about you:

1. if required by law or legal process,
2. in response to a request from public authorities or other officials, or

if we believe that the transfer of this data is necessary or appropriate to prevent any physical damage or financial loss or in connection with an investigation concerning a suspected or proven illegal activity. SHELF LIFE OF YOUR PERSONAL DATA We will only keep your data for as long as is necessary to achieve the purposes for which it was collected and processed. This period may be extended, if necessary, for the duration provided for by any applicable legal or regulatory provision. PERSONAL DATA AND “SENSITIVE” DATA, AS DEFINED BY GDPR In general, we do not collect sensitive personal data through our Website. “Sensitive personal data” means any information relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, data relating to health or sexual life or orientation sexual activity of a natural person. This definition also includes personal data relating to criminal convictions and offenses. If it is strictly necessary to collect this data to achieve the objective for which the processing is carried out, we will do so in accordance with local legal requirements regarding the protection of personal data and, in particular, PERSONAL INFORMATION AND CHILDREN The Website is intended for use by adults who have the capacity to enter a contract under the laws of the country in which they are located. Child users under the age of 16, or those without legal capacity, must obtain the consent of their legal guardians before submitting their data on the Website. The age limit of 16 can be reduced to 13 depending on the local legislation of your place of usual residence. Our Website is intended for a general audience and is not directed to children under the age of 13.   Please contact us if you believe that we may have collected information from your child, and we will work to delete it. TRANSFER OF PERSONAL DATA As Sodexo is an international group, your personal data may be transmitted to internal or external recipients who are authorized to provide services on our behalf and who are located in countries outside the country of data collection who may not offer an adequate level of protection of personal data. In order to guarantee the security and confidentiality of the personal data thus transmitted, we will take all necessary measures to ensure that these data benefit from adequate protection, such as the signing of standard contractual clauses of the European Commission or other equivalent measures. YOUR RIGHTS In accordance with applicable law, you may have certain rights relating to the processing of your personal data. Right of Access – You have the right to request access to your personal data. You can also request the rectification of inaccurate personal data or request that incomplete data be completed. You also have the right to know the origin of personal data. Right to Erasure – Your right to be forgotten gives you the right to request the erasure of your personal data when: (i) the data is no longer necessary for the fulfillment of the purposes for which it was collected and processed; (ii) you choose to withdraw your consent (if your consent has been obtained as a legal basis for processing), without this withdrawal affecting the lawfulness of any processing carried out before this withdrawal; (iii) you object to the processing; (iv) your data has been processed unlawfully; (v) your data must be deleted to comply with a legal obligation or (vi) their deletion is necessary to comply with current legislation. Right to Limitation – You can also request the limitation of the processing of your personal data if: (i) you dispute the accuracy of your data; (ii) we no longer need this data for processing purposes; and (iii) you object to the processing of data. Right to Refuse Direct Marketing Messages – You can at any time request to no longer receive advertising or prospecting by contacting us directly, free of charge, or via the “unsubscribe” link included with any form of prospecting that we may send you, by e-mail, or by sending us an e-mail to the address provided below. This opposition is without prejudice to the lawfulness of any communication sent to you before the implementation of the opposition. Right Not to Be Subject to Automated Decisions – You have the right not to be subject to a decision based solely on automated processing, including profiling, which has a legal affect upon you or significantly affects you. Right to Object to Processing – You may object (i.e. exercise your right to “opt-out”) to the processing of your Personal Data particularly in relation to profiling or to marketing communications. When we process your Personal Data on the basis of your consent, you can withdraw your consent at any time. Right of Data Portability – You can ask us to provide your personal data in a structured, commonly used and machine-readable format or you can request that it be transmitted directly to another controller, provided that: (i) the processing is based on your consent or is necessary for the performance of a contract with you; and (ii) that it is carried out by automated means. Right to Lodge a Complaint – You can choose to lodge a complaint with the Data Protection Supervisory Authority in the country of your habitual residence, place of work or place of the alleged infringement, regardless of whether you have suffered damages. Personal Data. You have also the right to lodge your Complaint before the courts where the Sodexo entity has an establishment or where you have your habitual residence. CALIFORNIA RESIDENTS The CCPA provides California residents, who are consumers of Circles, with specific rights regarding their personal information processed by Circles. Details on your these specific rights may be found at https://us.sodexo.com/legal–privacy/california-consumer-privacy-act.html. EXERCISING YOUR RIGHTS To exercise your rights, if you reside outside of the United States or Canada, you can contact us by writing to us at the following address: 800 South Street, Suite 195, Waltham, MA 02451 or at circles.privacy@sodexo.com. In your communication please indicate your last name, first name and reason for your request. We will most likely ask you for additional information in order to identify you and allow us to process your request. For United States or Canadian residents, please utilize one of the following options to contact us:

• email circles.privacy@sodexo.com;
• fill out our GDPR Data Subject Request form at https://privacyportal-eu-cdn.onetrust.com/dsarwebform/c51cde17-e99e-4699-80ce-892748f9ad1a/941d37eb-3727-47db-8040-4e7282414099.html; or
• send a letter to:

Sodexo Office of Ethics, Compliance & Privacy 9801 Washingtonian Blvd Gaithersburg, MD 20878 For California residents, please utilize our specific California Data Subject Request form at https://privacyportal-eu-cdn.onetrust.com/dsarwebform/c51cde17-e99e-4699-80ce-892748f9ad1a/c603db2f-2a85-4ad8-9e51-c0441dc0cd81.html or call our toll free number at 833-955-1494. SECURITY We implement all possible technical and organizational security measures to ensure the security and confidentiality of the processing of your personal data. To this end, we take all the necessary precautions taking into account the nature of the personal data and the risks linked to their processing, in order to ensure the security of the data and in particular to avoid any deformation, deterioration or unauthorized access by third parties. (physical protection of premises, authentication procedures with personal and secure access via confidential identifiers and passwords, connection log, encryption of certain data, etc.). CUSTOMER RELATIONSHIP MANAGEMENT DATABASE (“CRM DATABASE”) We use a database to manage and monitor our relationships with our current and potential customers. This database includes the personal data of associates of our customers or other partners with whom we have a business relationship or with whom we want to establish such a relationship. This data, used only for this purpose, includes in particular: contact details (surname, first name, telephone number, e-mail address, etc.), information accessible to the public, replies to targeted e-mails and other information collected and recorded by our associates as part of their interactions with our customers and partners. If you wish to be removed from our CRM database, please write to 800 South Street, Suite 195, Waltham, MA 02451 or email circles.privacy@sodexo.com. LINKS TO OTHER SITES Occasionally, we provide links to other websites for convenience and information. These websites operate independently of our Website and are not under our control. These websites are operated by third parties with their own privacy recommendations or terms of use which we strongly advise you to read. This privacy policy does not apply to any other third-party websites. We accept no responsibility for the content of these websites, the products and services offered there, or any other use that may be made of them. UPDATING OUR PRIVACY POLICY We may update or modify this privacy policy as necessary. In this case, the modifications will only become applicable after a period of 30 working days from the date of the modification. Please check this page from time to time if you would like to be notified of any changes. UNSUBSCRIBE AND OPT-OUT If you have subscribed to certain services through our Website and you no longer wish to receive emails, click the “Unsubscribe” link at the bottom of any email message you receive from us, send us an email at circles.privacy@sodexo.com.