Privacy Policy of the Xtreme Fest application

Version: V1 — Effective date: June 12, 2026

This is a courtesy translation provided for convenience. In case of any discrepancy, the French version, available at Politique de confidentialité, prevails.

1. Purpose of the Privacy Policy

The purpose of this privacy policy (hereinafter the "Privacy Policy") is to inform the users of the Xtreme Fest mobile application (hereinafter the "Application") of the conditions under which their personal data is collected, used, retained, shared and protected in connection with their use of the Application.

This Privacy Policy supplements the Terms of Use of the Application (hereinafter the "Terms of Use"), without replacing them. The Terms of Use govern the contractual conditions of access to and use of the Application, while this Privacy Policy describes the processing of personal data carried out in that context.

This Privacy Policy applies to any person who downloads, installs, consults, accesses or uses the Application, with or without creating an account.

2. Identity of the data controller

The controller of the personal data processing carried out in connection with the Application is:

  • Publisher: Michel MALDONADO, sole proprietor (EI)
  • SIREN: 922 725 809
  • Address: available on request via the contact e-mail address below
  • Contact e-mail address: contact+xtremefest-app@wtsh.io
  • Publication director / legal representative: Mr Michel MALDONADO

For the purposes of this Privacy Policy, Michel MALDONADO, sole proprietor, is hereinafter referred to as the "Publisher" or the "Data Controller".

3. Data protection officer

As at the effective date of this Privacy Policy, the Publisher has not appointed a data protection officer (hereinafter the "DPO").

In the absence of an appointed DPO, any request relating to personal data may be addressed to: contact+xtremefest-app@wtsh.io.

4. Applicable legal framework

This Privacy Policy is established in particular with regard to:

  • Regulation (EU) 2016/679 of 27 April 2016, known as the General Data Protection Regulation or GDPR;
  • French Law No. 78-17 of 6 January 1978, as amended, known as the French Data Protection Act (loi Informatique et Libertés);
  • French Law No. 2004-575 of 21 June 2004 on confidence in the digital economy;
  • The guidelines, recommendations, reference frameworks and positions published by the French data protection authority (Commission nationale de l'informatique et des libertés — CNIL);
  • The rules applicable to read and write operations on the user's device, in particular regarding trackers, identifiers, SDKs, mobile permissions and equivalent technologies.

5. Who is this Privacy Policy intended for?

This Privacy Policy is intended for:

  • Users who access the Application without creating an account;
  • Users who create an account within the Application;
  • Users who use the favourites, personal schedule, interactive map, notifications, geolocation, reporting, feedback or support features;
  • More generally, any person concerned by a processing of personal data carried out in connection with the Application.

Using the Application without creating an account does not necessarily exclude all processing of personal data, since certain technical data, pseudonymised identifiers, preferences, consent data, notification data or operational data may be necessary for accessing the service, for its security, for the persistence of the user's choices or for evidencing consents.

6. General principles applicable to processing

The Publisher undertakes to process users' personal data in accordance with the principles applicable to the protection of personal data, and in particular the following principles:

  • Lawfulness, fairness and transparency: data is processed on a defined legal basis and users are informed of the processing carried out;
  • Purpose limitation: data is collected for specified, explicit and legitimate purposes;
  • Data minimisation: only the data necessary for the purposes pursued is processed;
  • Accuracy: the Publisher takes reasonable steps to ensure that the data is accurate and, where necessary, kept up to date;
  • Storage limitation: data is kept for a period not exceeding that necessary for the purposes pursued;
  • Integrity and confidentiality: data is subject to appropriate technical and organisational measures;
  • Accountability: the Publisher documents its compliance and implements the measures necessary to comply with the applicable regulations.

In V1, the Application is designed according to the following principles:

  • Access to a substantial part of the features without mandatory account creation;
  • Limited collection of identifying data, the e-mail address being requested only in the event of voluntary creation of an account;
  • No collection of banking or payment data by the Publisher;
  • No collection of health data;
  • No collection of biometric data;
  • No use of advertising identifiers such as IDFA or GAID, unless a future change is expressly brought to the user's attention;
  • No server-side geolocation in V1, subject to final validation of the technical architecture;
  • Use of geolocation only for the features that require it;
  • Activation of processing operations not strictly necessary for the operation of the Application only after the user's consent has been obtained, where such consent is required.

7. Personal data processed

The Publisher may process different categories of personal data depending on the features used by the user.

7.1 Technical data and pseudonymised identifier

Upon the first launch or use of the Application, the Publisher may generate or process a pseudonymised technical identifier of the UUID type or equivalent.

This identifier may be used in order to:

  • Enable the technical operation of the Application;
  • Associate certain preferences or usage data with an installation, a session or an account;
  • Ensure the local persistence of certain data;
  • Enable certain synchronisation operations;
  • Manage consent choices;
  • Prevent certain abuses or malfunctions;
  • Ensure the security and continuity of the service.

This identifier is not a native hardware identifier of the device. It does not, however, necessarily constitute anonymous data: where it makes it possible to single out a user, an installation, a device or a usage, it is treated as pseudonymised personal data.

7.2 Data relating to the functional use of the Application

Depending on the features used, the Publisher may process:

  • The favourites saved by the user;
  • The personal schedule built by the user;
  • Configuration preferences;
  • Notification preferences;
  • The status of consents;
  • The status of certain permissions granted at device level;
  • The data necessary for displaying the programme, artist pages, practical information or the interactive map;
  • The data necessary for offline operation, in particular where certain information is previously downloaded or synchronised.

7.3 Account data

Creating an account is optional.

Where the user chooses to create an account, the Publisher may process:

  • The e-mail address;
  • The data necessary for authentication;
  • The data relating to the verification of the e-mail address, in particular by means of a one-time code where this feature is enabled;
  • The data relating to password reset;
  • The data associated with the account, in particular favourites, the personal schedule, certain preferences or synchronisation data;
  • The date of creation of the account;
  • Where applicable, the date of deletion of the account.

In V1, the Publisher does not request festival-goers' surname, first name, postal address, date of birth or telephone number for the sole purpose of creating an account, unless a subsequent functional change is brought to the users' attention.

7.4 Notification data

Where the user authorises notifications at the operating system level of their device, the Publisher may process:

  • The technical token necessary for the delivery of push notifications;
  • Notification preferences;
  • The data necessary for sending or triggering service-related notifications;
  • The data relating to the user's choices regarding notifications.

Notifications may in particular relate to reminders linked to the personal schedule, to favourites, to useful information relating to the festival or to the operation of the Application.

7.5 Geolocation data

The Application may request access to the user's geographical position in order to enable the operation of certain features related to the festival experience, in particular:

  • Displaying the user's position on the interactive map;
  • Orienting the user within the festival site;
  • Identifying nearby stages, areas, points of interest or services;
  • Where applicable, sending notifications or contextual information strictly related to the service.

Geolocation is used locally in order to display the user's position on the map when the user consults the relevant screen.

Unless otherwise brought to the user's attention:

  • Geolocation is used only when the Application is open or in use;
  • The geographical position is not transmitted to the Publisher's servers;
  • The Publisher does not build up a movement history;
  • The Publisher does not use geolocation for advertising, commercial or profiling purposes;
  • Disabling geolocation may make certain features unavailable, degraded or less accurate, without necessarily preventing access to the features that do not require location.

Should the technical architecture of the Application evolve in such a way as to result in the transmission, retention or analysis of geolocation data by the Publisher or its service providers, this Privacy Policy would be updated to specify the purposes, the recipients, the retention periods, the applicable safeguards and, where applicable, the consents required.

7.6 Consent data

The Publisher may retain evidence of the choices expressed by the user, in particular:

  • The date and time of the choice;
  • The type of consent concerned;
  • The status of the consent, refusal or withdrawal;
  • The method of collection;
  • The version of the privacy policy or of the applicable information;
  • The technical parameters making it possible to link the choice to an installation, a device, a session or an account.

This data is necessary to comply with transparency obligations, to demonstrate the compliance of the processing and to allow the user to change their choices.

7.7 Analytics and audience measurement data

If the user consents thereto where such consent is required, the Publisher may process pseudonymised usage events for the purposes of audience measurement, understanding usage, product improvement, functional analysis and aggregated management of the service.

These events may in particular relate to:

  • The screens viewed;
  • The features used;
  • Technical events related to navigation within the application;
  • Usage journeys;
  • The performance or usage rates of certain features;
  • Interactions with favourites, the schedule, artist pages or the map.

This processing is not intended to directly identify the user or to serve them targeted advertising.

7.8 Diagnostics data, crash reports and technical support

If the user consents thereto where such consent is required, or where the processing is strictly necessary for the security and proper functioning of the Application, the Publisher may process technical data relating to crashes, errors, performance and malfunctions, in particular:

  • Crash reports;
  • Stack traces;
  • Technical metadata;
  • Information relating to the state of the application;
  • Information relating to the device, the operating system and the version of the application;
  • Masked session recordings where this feature is enabled;
  • Technical feedback content voluntarily submitted by the user.

The Publisher endeavours to limit the data collected in this context and to mask personal data or sensitive fields where the tools used allow it.

7.9 Data voluntarily provided by the user

Where the user uses a contact, support, reporting, feedback or festival proposal feature, the Publisher may process the information voluntarily provided, in particular:

  • The content of a message;
  • The content of a report;
  • The text of a feedback;
  • The name of a proposed festival;
  • The city or location of a proposed event;
  • A screenshot or an attachment;
  • The contact e-mail address, where the user chooses to provide it;
  • Any other information voluntarily provided by the user.

The user is invited not to provide data that is unnecessary, excessive, sensitive or relating to third parties without a legitimate reason.

8. Data not collected

In the current state of the Application, the Publisher does not collect the following data:

  • Festival-goers' surname and first name, except where voluntarily provided in a contact or support message;
  • Users' personal postal address;
  • Users' telephone number;
  • Payment data or banking data;
  • Health data;
  • Biometric data;
  • Content of personal communications;
  • Data from social networks, except in the event of voluntary interaction with a third-party service;
  • Advertising identifiers such as IDFA or GAID;
  • Server-side geolocation data, subject to final validation of the technical architecture;
  • Movement history;
  • Data used for targeted advertising purposes.

This list may evolve in the event of changes to the features, the technical architecture or the economic model of the Application. In such a case, this Privacy Policy would be updated.

9. Read and write operations on the device

Certain features of the Application involve writing or reading information on the user's device, in particular in order to:

  • Ensure the persistence of preferences;
  • Retain favourites and the personal schedule;
  • Store or retrieve a pseudonymised technical identifier;
  • Retain consent choices;
  • Enable offline operation;
  • Manage the caching of certain useful data, in particular map or programme data;
  • Enable the operation of notifications;
  • Maintain the security and technical operation of the application.

Where these operations are strictly necessary for the provision of the service expressly requested by the user or for the operation of the Application, they may be carried out without prior consent.

Where these operations are not strictly necessary for the requested service, they are subject to the prior consent of the user, which may be withdrawn at any time from the Application's settings or, as the case may be, from the device settings.

Permissions granted at operating system level, in particular for geolocation or notifications, allow the user to technically authorise or refuse access to certain device features. They do not replace, where required, the consent provided for by the regulations applicable to personal data or trackers.

10. Purposes and legal bases of the processing

The Publisher processes users' personal data for the following purposes and on the following legal bases.

PurposeData concernedLegal basisComments
Provision of the Application and its main featuresPseudonymised technical identifier, preferences, favourites, schedule, data necessary for displaying contentPerformance of the contract / legitimate interestEnable access to the service and its normal operation
Use without an accountPseudonymised technical identifier, preferences, local data, status of permissionsPerformance of the contract / legitimate interestEnable a user experience without mandatory registration
Creation and management of the accountE-mail address, authentication data, verification data, synchronisation dataPerformance of the contractCreation, access, synchronisation, reset, deletion of the account
Favourites and personal scheduleFavourites, schedule, associated preferencesPerformance of the contractFeatures expressly requested by the user
Interactive map and geolocationDevice position, map data, points of interestPerformance of the contract / OS permission / consent where requiredLocal geolocation in V1, subject to technical validation
Local notificationsFavourites, schedule, local preferencesPerformance of the contractReminders triggered according to the user's choices
Service-related push notificationsPush token, notification preferences, notification contentPerformance of the contract / legitimate interest / OS permissionUtility notifications related to the service or the festival experience
Commercial or partner notifications, where applicablePush token, preferences, targeting data where necessaryConsentNot planned in V1 except with specific information and consent
Analytics and audience measurementPseudonymised usage events, journey data, functional dataConsent where requiredAudience measurement, product improvement, aggregated statistics
Diagnostics, crash reports and technical improvementTechnical logs, stack traces, metadata, crash reports, masked session dataConsent where required / legitimate interest for security and the correction of critical anomaliesStability, security, correction of malfunctions
Support, reports and feedbackVoluntarily provided content, optional e-mail, screenshots, commentsLegitimate interest / performance of pre-contractual or contractual measuresResponding to requests, handling reports, improving the service
Management of consentsHistory of choices, timestamps, applicable version, status of consentsLegal obligation / legitimate interestDemonstration of compliance and management of preferences
Security, prevention of abuse and defence of rightsTechnical data, logs, evidence, account dataLegitimate interest / legal obligationPreventing abuse, handling incidents, preserving the Publisher's rights
Responding to requests to exercise rightsIdentification data, request, exchanges, supporting documents where applicableLegal obligation / legitimate interestManagement of GDPR requests and evidence of the handling of the request

Where the Publisher bases a processing operation on its legitimate interest, the user may, under the conditions provided for by the applicable regulations, object to the processing on grounds relating to their particular situation, unless the Publisher demonstrates compelling legitimate grounds that override the user's interests, rights and freedoms.

11. Notifications

The Application may generate local notifications or push notifications.

11.1 Local notifications

Local notifications are generated directly by the Application on the user's device, in particular based on their favourites, their personal schedule or their configuration choices.

They serve a utilitarian and functional purpose.

11.2 Push notifications

Push notifications are delivered to the user's device via the technical services of the mobile operating systems, in particular Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM).

Where the user authorises notifications at operating system level, the Publisher may process the technical token necessary for the delivery of these notifications.

Push notifications serve a factual, utilitarian and service-related purpose, in particular:

  • Useful information relating to the festival;
  • Reminder linked to a favourite or a schedule event;
  • Information related to the operation of the application;
  • Contextual information related to the festival experience, where this feature is available.

11.3 Commercial or partner notifications

The Publisher does not send advertising, commercial or partner notifications without the user's specific consent.

Should the Application subsequently offer commercial, sponsored or partner notifications, the user would be informed in advance and would be able to consent or object thereto in accordance with the procedures provided for by the applicable regulations.

The user may at any time change their notification preferences from the Application or from their device settings, as the case may be.

12. Geolocation

Access to the user's geographical position is used only for the features of the Application that require this information.

The user may, at any time, authorise, limit, suspend or disable the Application's access to their location from their device settings, under the conditions offered by the operating system used.

In the event of refusal, deactivation or limitation of access to geolocation, certain features of the Application may be unavailable, degraded or less accurate, in particular:

  • Displaying the user's position on the interactive map;
  • Orientation within the festival site;
  • Identification of nearby points of interest;
  • Certain notifications or contextual information related to location.

Features that do not require access to location remain accessible, subject to their technical availability.

Geolocation is not transmitted to the Publisher's servers, is not retained by the Publisher and does not give rise to the creation of a movement history.

The Publisher does not use geolocation for advertising, commercial or profiling purposes.

13. Recipients of the data and processors

The personal data processed in connection with the Application may be accessible, within the limits of their respective remits:

  • To authorised persons within the Publisher's organisation;
  • To technical service providers acting on behalf of the Publisher;
  • To processors involved in particular in hosting, authentication, storage, analytics, crash reporting, notifications or mapping;
  • To administrative, judicial or supervisory authorities, only where required by law or where necessary for the defence of the Publisher's rights.

The Publisher does not sell users' personal data.

13.1 Identified technical processors

As at the date of this Privacy Policy, the main identified processors or technical service providers are the following:

ProcessorServiceLocationSafeguards
Supabase, Inc.Database hosting and distribution of festival content (programme, artists, practical information)European UnionData processing agreement (Art. 28 GDPR); standard contractual clauses where applicable
Functional Software, Inc. (Sentry)Crash reports, diagnostics and performance monitoringData hosted in the European Union (Germany); company established in the United StatesEU-U.S. Data Privacy Framework; standard contractual clauses; data processing agreement
PostHog, Inc.Audience measurement and usage statistics (analytics), feature flag managementData hosted in the European Union (PostHog EU instance); company established in the United StatesStandard contractual clauses; data processing agreement
Mapbox, Inc.Base maps and map rendering for the interactive mapUnited StatesEU-U.S. Data Privacy Framework; standard contractual clauses

The Publisher takes care to use only service providers offering sufficient guarantees with regard to the applicable regulations and, where required, governs their involvement through data processing agreements compliant with Article 28 of the GDPR.

14. Third-party services accessible from the Application

Certain features of the Application may integrate, embed or redirect to services, content or websites published by third parties.

As at the date of this Privacy Policy, these may include in particular, depending on the features actually available:

  • Cashless, ticketing or payment services accessible via webview or redirection, such as Weezevent / weezpay;
  • Video players or content, such as YouTube;
  • Audio players or content, such as Spotify;
  • Any other third-party service integrated into or accessible from the Application.

Unless otherwise indicated, the Publisher does not directly transmit personal data to these third-party services. However, when the user accesses such content or services, the third parties concerned may collect information directly by means of their own technologies, embedded players, WebViews, cookies, trackers, SDKs or interfaces, in accordance with their own privacy policies and terms of use.

These third-party services are operated under the responsibility of their respective publishers. The Publisher invites the user to consult the privacy policies and terms of use of these services before using them.

Where the Application provides access to a payment service, a cashless wallet, a ticketing service or any other transactional service provided by a third party, the Publisher does not act, unless otherwise stated, as a payment service provider, ticketing operator, seller, agent or controller of the processing operations directly carried out by the third party concerned.

15. Transfers of data outside the European Union

Certain personal data may be transferred outside the European Union or be accessible from countries located outside the European Union, in particular as a result of the involvement of certain technical service providers or third-party services.

The transfers or access outside the European Union that may be concerned may in particular involve:

  • Mapbox, whose services are operated from the United States;
  • Sentry and PostHog, whose companies are established in the United States, the data nevertheless being hosted in the European Union;
  • Certain third-party services accessible from the Application, where the user interacts with them.

Where transfers of personal data outside the European Union are carried out by the Publisher or its processors, the Publisher ensures that they are governed by a mechanism recognised by the applicable regulations, in particular:

  • An adequacy decision of the European Commission;
  • The EU-U.S. Data Privacy Framework where the recipient is validly certified thereunder;
  • The standard contractual clauses adopted by the European Commission;
  • Any other appropriate safeguard provided for by the applicable regulations.

Details of the applicable safeguards may be provided to the user upon request, within the limits of the information actually available from the service providers concerned and subject to the applicable confidentiality obligations.

16. Retention periods

The Publisher retains personal data for a period not exceeding that necessary for the purposes for which it is processed, subject to legal retention obligations, evidentiary needs, the security of the service and the defence of its rights.

As at the date of this Privacy Policy, the following retention periods are applied:

Category of dataActive retention periodIntermediate archiving / comments
Account dataLifetime of the accountDeletion or anonymisation upon deletion of the account, except in the event of a legal obligation, security, litigation or defence of rights
Account e-mail addressLifetime of the accountDeletion or anonymisation upon deletion of the account, except for evidentiary or legal needs
Favourites and personal scheduleLifetime of the account or of the local installationDeletion upon deletion of the account or of the local data, except for irreversible anonymisation or aggregation
Pseudonymised technical identifierPeriod of use of the Application or period necessary for the operation of the serviceDeletion, reset or anonymisation according to the technical means available
Push tokensUntil withdrawal of the authorisation, uninstallation, technical expiry of the token or deletion of the accountDeletion or technical invalidation when they are no longer useful
Local geolocation dataNo retention by the Publisher in V1, subject to technical validationNo server-side retention in V1, except in the event of a change brought to the user's attention
Consent history5 years from the last choice or the withdrawal of consentEvidentiary retention with restricted access
Pseudonymised analytics13 months maximum from collection, unless a shorter period is configured in the toolAggregated and anonymised statistics may be retained for longer
Crash reports and technical diagnostics6 to 12 months from collection depending on the criticality and the tool usedPeriod to be specified according to the Sentry configuration and correction needs
Support, feedback and report dataDuration of the handling of the request, then 3 years from the last exchangeEvidentiary retention with restricted access, except in the event of litigation or a longer legal obligation
Security logs6 to 12 months depending on criticalityLonger retention possible in the event of an incident, investigation, fraud or litigation
Anonymised or aggregated dataRetention without specific limitationOutside the scope of the GDPR if the anonymisation is effective and irreversible

Upon expiry of the applicable periods, the data is deleted, anonymised or securely archived where such retention is necessary for legal, evidentiary or rights-defence purposes.

17. Account deletion and anonymisation

Where a user who has created an account requests its deletion from the Application's settings or by any other means indicated by the Publisher, the Publisher implements a process intended to:

  • Erase or anonymise the e-mail address associated with the account;
  • Neutralise the authentication credentials;
  • Delete the profile and the rights associated with the account;
  • Delete or anonymise the data associated with the account, in particular favourites and the personal schedule, except for legitimate retention;
  • Retain anonymised or aggregated data where legitimate;
  • Allow, where applicable, continued use of the application in anonymous mode if the user continues to use the application.

Deletion of the account does not necessarily entail the immediate erasure of all data if certain information must be retained for legal, security, abuse-prevention, evidentiary or rights-defence purposes.

Where data is anonymised, the Publisher ensures that the anonymisation is effective, irreversible and prevents any reasonably possible re-identification.

18. Data security

The Publisher implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by the processing, in particular in terms of confidentiality, integrity, availability and resilience of systems and services.

These measures may in particular include:

  • The use of encrypted transmission channels;
  • The secure storage of local identifiers in protected areas of the device where technically possible;
  • Access control for tools and databases;
  • Limiting access to authorised persons only;
  • Logging of certain accesses or technical operations where necessary;
  • Masking of certain personal data in diagnostic tools where this feature is available;
  • Disabling unnecessary telemetry where such deactivation is possible;
  • The implementation of backups, monitoring measures, remediation procedures and appropriate continuity measures;
  • The contractual framing of service providers and processors.

The user also contributes to the security of their data by protecting their device, their e-mail address, their credentials and, where applicable, their password.

As no method of transmission or storage can guarantee absolute security, the Publisher cannot guarantee perfect security in all circumstances. The Publisher nevertheless undertakes to handle security incidents in accordance with the applicable regulations.

19. Personal data breaches

In the event of a personal data breach likely to result in a risk to the rights and freedoms of the data subjects, the Publisher will notify the breach to the CNIL under the conditions and within the time limits provided for by the applicable regulations.

Where the breach is likely to result in a high risk to the rights and freedoms of the data subjects, the Publisher will also inform the data subjects under the conditions provided for by the applicable regulations.

The Publisher documents personal data breaches in an internal breach register.

20. Rights of data subjects

In accordance with the applicable regulations, every data subject has, subject to the conditions and limits provided for by the legislation, the following rights:

RightDescription
Right of accessObtain confirmation as to whether or not personal data is being processed and, where it is, obtain access to that data and to information relating to the processing
Right to rectificationRequest the rectification of inaccurate or incomplete data
Right to erasureRequest the erasure of one's data in the cases provided for by the applicable regulations
Right to restriction of processingRequest the temporary suspension of certain processing operations in the cases provided for by the applicable regulations
Right to data portabilityReceive certain data in a structured, commonly used and machine-readable format, where this right is applicable
Right to objectObject to certain processing operations based on legitimate interest, on grounds relating to one's particular situation
Right to withdraw consentWithdraw one's consent at any time where the processing is based on consent, without such withdrawal affecting the lawfulness of the processing carried out before the withdrawal
Right to define post-mortem directivesDefine directives relating to the fate of one's personal data after death, under the conditions provided for by French law
Right to lodge a complaint with the CNILRefer the matter to the competent supervisory authority in the event of a difficulty relating to the processing of one's personal data

21. Right to object

The right to object is specifically brought to the user's attention.

Where the processing is based on the Publisher's legitimate interest, the user may object to it at any time on grounds relating to their particular situation.

In such a case, the Publisher shall cease the processing concerned, unless it demonstrates that there are compelling legitimate grounds for the processing which override the user's interests, rights and freedoms, or that the processing is necessary for the establishment, exercise or defence of legal claims.

Should direct marketing processing be carried out, the user would have the right to object thereto at any time, without having to give any reason.

The Publisher does not intend to use users' data for direct marketing purposes, unless otherwise indicated and subject to the collection of the applicable consents or objections.

22. Exercise of rights

To exercise their rights or to ask any question relating to the processing of their personal data, the user may contact the Publisher:

The request must specify the right being exercised, the data or processing concerned and the information enabling the Publisher to properly handle the request.

Where necessary, the Publisher may ask the user for additional information in order to verify their identity or to understand their request, to the extent strictly necessary.

The Publisher will respond to the request as soon as possible and, in any event, within one month of receipt of the complete request.

This period may be extended by two months where the complexity or the number of requests so justifies. In that case, the Publisher will inform the user of this extension and of the reasons for the delay within the initial one-month period.

The user also has the right to lodge a complaint with the CNIL:

Commission nationale de l'informatique et des libertés (CNIL)
3 Place de Fontenoy – TSA 80715
75334 Paris Cedex 07
Website: www.cnil.fr

The right to lodge a complaint with the CNIL does not deprive the user of the right to seek any appropriate judicial remedy.

23. Management of consents

Where the user's consent is required, the Publisher collects it by means of a dedicated mechanism, separate from the general acceptance of the Terms of Use.

As at the date of this Privacy Policy, the Publisher provides in particular for:

  • The absence of any pre-ticked box;
  • The possibility to accept, refuse or customise choices where several purposes are concerned;
  • Separate choices for analytics and diagnostics where such processing is not strictly necessary;
  • The possibility to withdraw consent at any time from the application's settings;
  • The retention of evidence of the consent, refusal or withdrawal.

Withdrawal of consent does not affect the lawfulness of the processing carried out prior to the withdrawal.

Where the user withdraws their consent to an analytics or diagnostics processing operation, the Publisher shall cease, for the future, the processing concerned under the technically applicable conditions and shall, where possible, purge the events not yet sent.

24. Minors

Use of the Application is reserved for persons aged at least fifteen (15) years.

The Publisher does not knowingly intend to collect personal data from users under fifteen (15) years of age.

If the Publisher finds that an account has been created or that the Application is being used in breach of this age requirement, it may take any appropriate measure, including deleting the account concerned or limiting access to certain features, subject to the necessary verifications.

Where consent to the processing of personal data is required for a user under fifteen (15) years of age, such processing may, in principle, only take place under the conditions provided for by the regulations applicable to minors and to holders of parental authority.

25. Amendments to the Privacy Policy

The Publisher reserves the right to amend this Privacy Policy, in particular in order to:

  • Take account of a legal, regulatory or case-law development;
  • Reflect a change in the application's features;
  • Take account of a change of service provider, processor or third-party service;
  • Specify the processing operations actually carried out;
  • Improve the clarity, precision or accessibility of the information provided to users.

The applicable version is the one in force at the time the Application is used.

In the event of a substantial amendment, the Publisher may inform users by any appropriate means, in particular by in-app notification, dedicated message or, for users with an account, by e-mail.

Where the amendment involves processing based on the user's consent, the Publisher will, where applicable, seek new consent.

26. Contact

For any question relating to this Privacy Policy or to the processing of personal data in connection with the Application, the user may contact the Publisher:

E-mail address: contact+xtremefest-app@wtsh.io

Postal address: available on request.

← Back to homepage