NESPRESSO PERSONAL DATA PROTECTION POLICY

Nespresso respects your right to privacy and has not waited for the General Data Protection Regulation (“GDPR”) to put in place all the technical and organizational measures necessary to guarantee the security of the personal data you transmit to us.

This privacy policy (“the Policy”) explains to you how your personal data is collected, used and possibly transmitted to third parties by different Nespresso companies (“Nespresso”, “us”). It also describes how you can access, update, and make choices about how your personal data is used.

It covers both our online and off-line data collection activities, including personal data that we collect through our various channels such as our websites, apps, third-party social medias, Customer Relationship Centers, shops, points of sale and events. Please be aware that personal data we collect through one channel (for example, this website or this app) may in some cases be combined with personal data collected through another channel (e.g. an offline event organized by Nespresso).

Likewise, we may aggregate personal data originally collected by Nespresso entities.

Refer to Question n°8 – “What are your rights and how can you exercise them?” for the procedure to follow if you wish to object.

If any personal data is missing at the time of collection (we will inform you where applicable, for example, by clear messages in our registration forms), we may not be able to provide our products and/or services to you.

This Policy provides answers to the following questions:

1. When does Nespresso collect your personal data?
2. What personal data do we collect and how?
3. What is Nespresso’s policy regarding children’s personal data?
4. How do we use your personal data?
5. Does Nespresso disclose your personal data and why?
6. How long do we keep your personal data for?
7. How does Nespresso store and/or transfer your personal data?
8. What are your rights and how can you exercise them?
9. What are your choices about the use of your personal data?
10. Changes to our Policy
11. Virtual advisor
12. Who are the Data Controllers and how can you contact them?

1. When does Nespresso collect your personal data?

The Policy applies to personal data we obtain from you or collect about you, through the methods described in Question n°2 - “What personal data do we collect and how?"”, from the following sources:

• Nespresso Websites: Online sites managed by or for Nespresso, including sites we operate under our own domain names/URLs and mini-sites we have created on social medias of third parties such as Facebook ("Websites").

• Mobile sites/Apps: websites or mobile apps designed for consumers and operated by or for Nespresso, such as smartphone apps.

• Emails, SMS and other electronic messages: this includes electronic communications between you and Nespresso.

• Customer Relationship Center (“CRC”): any communication from you with our CRCs (letters, calls, emails, chats).

• Nespresso Stores: Stores managed by Nespresso.

• Offline registration forms: printed registration forms and similar forms by which we collect personal data from consumers, by post, during in-store demonstrations, contests and other promotions or events.

• Advertising interactions: interactions with our brand advertising banners (for example, if you interact with one of our brand advertising banners on a third-party site, we may receive information about that interaction).

• Points of sale: Demonstrators in physical third-party stores used to help you register your machine and coffee order.

• Telemetric data: Data collected by Nespresso coffee machines (those connected by Wi-Fi), such as the serial number of the machine, machine alerts or errors, and the different types of coffees made by consumers, with their respective dates and times.

• Data from other sources: Third-party social media (such as Facebook and Google) or market research (if the participation is not anonymous).

• Data we create: In our interactions with you, we may create data associated with you (for example, tracking your online purchases on one of our websites).

• Data from other sources: information about you that we collect through social media (e.g. Facebook), advertising networks (e.g. Google), messaging applications (e.g. WhatsApp), market research (if such data is not anonymous), Nespresso advertising partners, public sources, or when acquiring a company.

2. What personal data do we collect and how?

Depending on how you interact and communicate with Nespresso (online, offline, phone, etc.), we may collect from you various types of information as described below:

• Personal contact details: this includes any information you provide to us so that we can contact you personally, such as your name, mailing address, email address or phone number.

• Login data to your account: the data needed to access your profile on your Nespresso account. This may be your username/email address, password and/or security question and relevant response.

• Email: We analyze your interactions with our content (e.g. click, email opened) to provide you with personalised information based on your interests and preferences.

• Demographic data and interests: Information about your demographic or behavioral characteristics. This includes, for example, your date of birth, age, geographical location (e.g. your postal code), your favorite products, hobbies and interests, as well as information about your household and lifestyle.

• Technical data on your computer/mobile device : information relating to your computer system or any other technological device you use to access one or more of our websites or apps, such as the Internet Protocol (IP) address used to connect your computer or device to the Internet, type of operating system, and the type and version of your web browser. If you access a Nespresso site or app from a mobile device such as a smartphone, the information collected will include, where permitted, your phone’s unique identifier, advertising ID, geolocation and other similar data related to mobile devices.

• Information on website use/interaction: When you browse and interact with our websites or newsletters, we use automatic data collection technologies to gather specific information about your actions. This includes information such as the links you click on, the pages or content you view and for how long, and other similar information, as well as statistics about your interactions such as content response times, download errors, and the length of time you spend on certain pages. This information is captured using automated technologies such as cookies (browser cookies, flash cookies) and web beacons, and is also collected using third-party tracking devices. You have the right to object or not consent to the use of these technologies; for more information on this subject, please read our “Nespresso Cookies Policy”.

• Market research and consumer feedback : this includes information you voluntarily provide us about your experience as a user of our products and services.

• Consumer Generated Content: This refers to any content you create and share with us on third party social media or by posting it on one of our websites or apps, including using third party social media apps such as Facebook. This includes photos, videos, personal stories or other similar content or media, or private posts, or messages you may leave on Nespresso's social media. If you have agreed, we will collect and publish content generated by you during various activities, such as games or other advertising activities, the website’s community functions, consumer reviews and comments, and presence on third-party social media.

• Information related to use of third-party social media: This refers to any information that you share publicly on a third-party social media or that is part of your profile on a third-party social media (such as Facebook) and that you have authorized the third-party social media to share with us. This includes your basic account information (name, email address, gender, date of birth, current location, profile picture, user ID, friends list, etc.) and any additional information or activity that you have authorized the third-party social media to share. We receive your third-party social media profile information (or parts of it) whenever you download or interact with a Nespresso web app on a third-party social media such as Facebook, whenever you use the function of a social media embedded in a Nespresso site (such as Facebook Connect), or whenever you interact with us through a third-party social media. To find out more about how your information from a third-party social media is obtained by Nespresso, or to opt out of sharing such social media information, please visit the third-party social media website in question.

• Financial data and payment: any information we need to fulfill an order, or that you use to make a purchase, such as your bank card details (cardholder name, card number, expiry date, etc.) or details of other payment methods (if available). In all cases, we or our payment processor(s) manage and process financial and payment data in accordance with applicable regulations and security standards, such as the Payment Card Industry Security Standard.

• Calls to the Customer Relations Center: your communications with our CRC may be recorded or listened to, in accordance with applicable laws, for the purposes of quality control or staff training. You will be informed of this recording at the start of your call. Bank card information is not recorded.

• Sensitive personal data: We do not collect or process sensitive personal data (e.g. health data) in the course of our day-to-day business activities. If we were required to collect or process such data for the purposes of sending marketing or medical communications, we would do so in strict compliance with the GDPR provisions relating to the processing of special data categories, and only with your explicit consent with regard to specific and legitimate purposes pursued by Nespresso.

3. What is Nespresso’s policy regarding children’s personal data?

We believe it is extremely important to protect the privacy of children accessing the Internet and encourage parents or guardians to spend time with them, participating in and managing their online activities.

On our websites (in particular online shops), only adults can create an account.

We do not collect personal data from children. If we become aware that we have accidentally collected personal data from children under the age of 18, we will immediately delete their data from our databases.

The only exception concerns the collection of personal data of children under 18 directly through a parent or guardian, with their explicit consent.

Therefore, we do not knowingly contact or collect personal data directly from children under 18 years of age for marketing purposes.

You may at any time verify, modify or delete the personal data of your child. You can also request the deletion of your child’s data by sending the request by post to the address given in the contacts indicated in Question 8 – “What are your rights and how can you exercise them?”.

4. How do we use your personal data?

The following table lists the purposes for which Nespresso collects and processes your personal data and the different types of personal data collected for each purpose. Please be aware that some people may not be affected by some of the uses listed below.

5. Does Nespresso disclose your personal data and why?

In addition to the legal entities of the Nespresso/Nestlé Group mentioned in Question n°12 - “Who are the data controllers and how can you contact them?”, we may share your personal data with different groups of third-party companies:

Service providers: These are external companies that we use to help us carry out our activities (order fulfillment, payment processing, fraud detection, identity verification, website operation, market research, support services, advertisement management, website development, hosting, sending communications, data analysis, Customer Relations Center, etc.). These service providers, and some members of their staff, are authorized to use your personal data on our behalf only for the specific tasks that have been requested, according to our instructions, and are required to protect the confidentiality and security of your personal data. Where required by law, you can obtain a list of providers that process your personal data (see Question n°12 - “Who are the data controllers and how can you contact them?”).

Credit reporting/debt collection agencies: to the extent permitted by law, credit reporting and debt collector are external companies that we use for credit checks (in particular for orders with invoices) or to collect outstanding invoices.

Third-party companies using personal data for their own marketing purposes: with the exception where you have given your consent, we do not sell your personal data to third-party companies for their own marketing purposes. Where applicable, you will be informed of the identity of these third-party companies when we request your consent. For example, we may share with Meta Plateforms Ireland Limited (“Meta”), Google Ireland Limited (“Google”) and other partners certain data about your actions on our websites, such as your visits, interactions on our websites, use of Facebook Connect, and information collected using cookies or similar technologies, including the Facebook pixel. This enables us to assess the effectiveness of our ads, improve our marketing practices, and help us run more relevant ads for you and others who share the same interests (including on social media such as Facebook, and others). We are joint data controller with Meta. We have entered into a joint processing agreement under which we are required to provide you with the information set out in this policy and more specifically this paragraph. You should contact Meta directly if you wish to exercise your data protection rights on this social media. Further information, including how Meta enables you to exercise your rights and then processes your information as an independent data controller, can be found in Meta's data policy, available at https://www.facebook.com/about/privacy.

Similar terms may apply to other third-party providers, such as Google tags or other technologies. To learn more about the personal data processed by Google, you can consult the Privacy Policy and Terms of Use on the Google website.

Third-party recipients using personal data for legal reasons or because of a merger/acquisition: we will disclose your personal data to third parties when required by law or in the context of an acquisition or merger (see Question n°4 - “How do we use your personal data?” for more information).

Data sharing within Nespresso (Nespresso France, Nespresso S.A., Nestlé France) family: each Nespresso family company may, if you have given your consent, share your personal data with the other Nespresso family companies to send you marketing communications about their own news, brands and products. They can contact you through different channels (email, sms, etc.) if you have given your consent to receive this type of communications.

6. How long do we keep your personal data for?

Your personal data is kept by Nespresso only for as long as is reasonably necessary for the purposes described in this Policy and in the specific information notices that you may find at the bottom of our forms. We use the following criteria to determine how long we keep your personal data:

1. Nespresso will store your personal data in a form that enables you to be identified for the duration of your participation in one or more of our loyalty programs, or for the duration of your membership in one of our online services. The data necessary to customize your experience will also be kept in this context. They can then be stored and processed for 3 years after your last contact with us, to allow us to send you marketing or commercial solicitations, with your consent.

2. Nespresso will retain the data necessary for the performance of a contract that you have concluded with us for the duration of the performance of the contract, increased by a period of 5 years, if applicable

3. If you participate in a contest, the data strictly necessary for the organization of the contest will be kept for a period of 12 months after the end of the contest. If you have consented to receive newsletters during your participation in the contest, the data necessary to take account of your subscription to the newsletter and your preferences will be kept for the period mentioned in a).

4. In the event of a dispute or litigation, Nestlé will retain your data for the period necessary to resolve the dispute or dispute and until all legal remedies have been exhausted.

5. However, your personal data may be retained for a longer period of time under specific legal obligations or applicable statutory limitation periods. For example, data will be retained for:

   • 6 years for tax documents;
   • 10 years starting from the end of the fiscal year.

6. Personal data used to offer you a personalised experience (see Question n°4 - “How do we use your personal data?” for more details) will be retained for the period permitted by applicable laws.

Beyond the retention periods mentioned above, your personal data will either be securely deleted from all Nespresso databases or anonymized.

7. How does Nespresso store and/or transfer your personal data?

We take all necessary technical and organizational measures to ensure the confidentiality and security of your personal data. Please note, however, that these measures do not apply to information you choose to share on public spaces, including third-party social medias

• People with access to your personal data: your personal data will be processed by our dedicated staff or service providers, and only for the purposes described to you when your personal data was collected (e.g. our staff in charge of customer service or customer relationship questions will only have access to your file regarding this purpose).

• Measures taken in operating environments: we store your personal data in operating environments where appropriate security measures are implemented to prevent unauthorized access. We comply with applicable regulations to protect your personal data. Unfortunately, the transmission of information via the Internet cannot be completely secure, and although we do our utmost to protect your personal data, we cannot guarantee the security of your data during transmission via our websites or apps.

• What we expect from you: you also have a key role to play in ensuring the security of your personal data. When creating an online account, be sure to choose a difficult password to guess, different from other third-party online accounts and never reveal your password to anyone. It is your responsibility to protect the confidentiality of this password, and you are responsible for any use you make of your account, whatever it is. If you are using a shared or public computer, make sure that the option to remember login, email address, or password is never ticked, and make sure that you always log out of your account whenever you leave the computer. You must also use the privacy settings or controls that we make available to you on our website or app.

• Transfer of your personal data: the storage and processing of your personal data requires that your personal data be transferred to, accessed or stored, at any time, in a country other than that in which you reside.

We may also transfer your personal data to countries outside the European Economic Area (EEA), (for example to other legal entities of the Nespresso/Nestlé Group), including countries with different standards of personal data protection than those applied in the EEA (such as USA, Ukraine, Brazil, Philippines). In this case, we (i) have implemented Binding Corporate Rules to protect your personal data and/or we (ii) use other applicable transfer mechanisms (where required by law).

8. What are your rights and how can you exercise them?

Access to your personal data: You, your descendants, representatives and/or agents have the right to access, consult and request a physical or electronic copy of the information we hold about you. You also have the right to request information about the source of your personal data.

Other rights (e.g., modification or deletion of personal data): You, your descendants, representatives and/or agents may, depending on the applicable legal basis (i) request the deletion, portability, rectification or modification of your personal data; (ii) object to the processing of the data; (iii) limit the use and disclosure of your personal data; and (iv) withdraw your consent to any of our processing activities of your personal data.

We do not solicit telephone calls, unless you have given your prior consent. However, we would like to inform you that you can register for free on the Bloctel Do Not Call list.

Please be aware that in some cases deleting your personal data will necessarily involve deleting your user account. We may also be required to retain some of your personal data, after your request for deletion, for the purpose of fulfilling our legal or contractual obligations (see Question n°6 - “How long do we keep your personal data for?”).

How to exercise these rights?

Where possible, our websites include a dedicated function allowing you to view and modify the personal data you have provided to us. Please note that, before you can access or change your account information, people registered on a website must prove their identity (for example, by providing their login/email address, password) to avoid unauthorized access to an account.

You can exercise these rights:

• by post: Nespresso France - Service Protection des données personnelles - TSA 71623 - 75901 Paris Cedex 15

• by telephone by calling our Customer Relations Center on +33 0800 55 52 53.

If there is reasonable doubt about your identity, we may ask you to attach a copy of your identification or other proof of identity to your request. If the request is submitted by someone other than you, this person will have to prove that the request is legally made on your behalf, otherwise the request will be rejected.

Please note that any identification information provided to us will be processed only in accordance with and to the extent permitted by applicable laws.

We hope to be able to answer any questions and queries you may have about how we process your personal data. However, if we cannot resolve all your concerns, you also have the right to lodge a complaint with the CNIL (https://www.cnil.fr/fr/plaintes)

9. What are your choices about the use of your personal data?

We are committed to enabling you to make the most informed choices possible regarding the personal data you provide to us. The following mechanisms give you control over your personal data:

Cookies/similar technologies: you manage your consent via (i) our consent management solution or (ii) your browser to decide whether you allow or refuse the use of some or all of the cookies/similar technologies, or if you want to be alerted when similar cookies/technologies are used. We invite you to consult our “Nespresso Cookies Policy” for more information.

Advertising, marketing and promotions: if you would like your personal data to be used by Nespresso to send you promotional communications about our products or services, you can indicate this by ticking the corresponding box(es) in the online registration form, or by answering the question(s) asked about this by our Customer Relations Center, our representatives in shops. If you no longer wish to receive these promotional communications, you may unsubscribe from marketing communications at any time by following the instructions provided in each of these communications. An unsubscribe link appears at the bottom of any marketing communication you receive from Nespresso. At any time, you can request to stop receiving marketing communications from any media outlet. To do this, contact our Customer Relations Center, or connect to the third-party websites, apps or social medias in question and change your user preferences in your account profile by unchecking the corresponding boxes or contacting our consumer service. Please be aware that even if you refuse to receive marketing communications, you may still receive administrative communications from us, such as order confirmations or other transactions, notifications about your account activities (account confirmations, password changes, receipt of invoices, significant changes to our services, etc.), and other important non-marketing information, if you are a customer of one of our online sales sites.

Personalisation (offline and online)): Your personal data is used by Nespresso to provide you with a personalised experience/targeted advertising and content. You may request to opt out of this customization at any time. To do this, contact our Customer Relations Center, or log in to websites or apps and change your user preferences in your account profile by unchecking or checking the corresponding boxes.

Targeted advertising: We may partner with advertisers who display banner advertisements on the Internet for one of our brands or brands of companies outside the Nespresso Group. These banner ads are targeted at your interests, based on information collected from Nespresso or third-party websites. You can visit www.aboutads.info/choices for more information on this type of targeted advertising, and on how you can block the appearance of these targeted advertisements (‘opt-out’) for companies participating in the Digital Advertising Alliance’s (‘DAA’) self-regulatory program. You can similarly download this DAA app on your mobile device to block these targeted ads. We also remind you that you can block geolocation data collection at any time by changing settings on your mobile device.

10. Changes to our Policy

If there is a change in the way we manage and process your personal data, we will update this Policy. We reserve the right to change our practices and this Policy at any time. Please check our Policy regularly for updates or changes.

11. Virtual advisor

This dialog box is there to guide you as best as possible on our site. However, please do not provide any personal data that could allow your identification. In the same way, please do not reveal any sensitive personal data such as information about your health or your personal opinions and beliefs. Nespresso disclaims any obligation specific to the protection of personal data on this tool. However, to avoid your negligence, we undertake to anonymize all our conversations within 30 days of the user closing the dialog box.

12. Who are the Data Controllers and how can you contact them ?

If you have any questions or concerns about this Privacy Policy and our practices regarding the protection of personal data, or if you have any complaints about non-compliance with applicable privacy laws, you can contact our Data Protection Officer by email at: protection-des-donnees@fr.nestle.com.

We will process and investigate any claims relating to the way we manage your personal data (including claims that we have infringed your rights under applicable privacy laws).