Introduction

At O-REASON, we place paramount importance on protecting your privacy. The collection and processing of your personal data is carried out in compliance with the Belgian Law of July 30, 2018 on the protection of privacy in connection with the processing of personal data (“Privacy Law”) and the European Regulation of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“Regulation” or “RGPD”).

This privacy policy aims to provide you with clear and transparent information about how we collect, use, process and protect your personal data when you use our Application.

By using the O-REASON Application, Users declare that they have read this Privacy Policy and expressly accept the collection and processing of their personal data as described in this document.

We reserve the right to modify this Privacy Policy at any time to adapt to legislative or regulatory changes, or to better meet our data protection obligations. We encourage Users to consult this policy regularly to stay informed of our current data privacy practices.

1. Who processes your personal data?

The natural person company Louis Ponlot (trade name “O-REASON”), located Chaussée de Louvain 95 boîte 5, 5310 Eghezée, registered with the ECB under number BE0700.262.487.

O-REASON acts as the controller of personal data in the context of its business of providing a platform for the purchase and sale of second-hand train tickets. As data controller, we determine the purposes and means by which your personal data is processed. This includes collecting, storing, transferring and using your personal information to offer and improve our services, ensure the security of our platform, and comply with our legal obligations.

2. What personal data is collected?

O-REASON collects and processes various categories of personal data according to the specific purposes related to our service. These categories are broken down as follows:

• Identification and authentication data: When you connect via the itsme® identification solution, we collect information to confirm your identity (such as your first and last name and date of birth) in order to secure your access to the Application and provide you with a personalized experience.
• Contact information: We may collect your e-mail address or other contact information (if you provide it voluntarily) in order to communicate with you about your abstinence journey, to inform you about new features of the Application, or to send you reminders and notifications related to your goals.
• Data relating to your abstinence: To monitor your progress, we process information such as the start date of your abstinence period, its duration, your progress over time, as well as any information needed to set and maintain your personal goals.
• Data relating to attestations: When you request an attestation of your period of abstinence, we collect the data required to draw up, issue and retain this attestation.
• Application usage data: In order to improve our services and optimize the user experience, we collect technical information (device type, IP address, browser type, pages viewed, connection time) and analyze usage and navigation patterns within the Application.
• Communications with support: If you contact our support team, the information you provide (message content, details of problems encountered) is processed with the aim of helping you, improving our service and ensuring quality follow-up.

Each category of data is processed in accordance with the purposes described and in compliance with data protection laws. O-REASON undertakes to collect only the data that is strictly necessary for these purposes.

3. What are the objectives?

Personal data collected by O-REASON is used for several purposes essential to the operation of our service and the improvement of the user experience. These purposes include:

• Authentication and user account management: The information collected during your connection via itsme® is used to verify your identity, guarantee the security of your account and facilitate your access to the Application.
• Tracking your abstinence period: Data relating to your journey (start date, duration, progress) enables us to support you throughout your abstinence period, measure your progress and offer you personalized follow-up.
• Issue of certificates: The information collected is used to draw up, issue and keep certificates proving your period of abstinence, at your request.
• Improving the Application and developing new features: Usage data (technical information, usage statistics) is analyzed in order to understand how you interact with the Application, improve ergonomics, correct any malfunctions and design new features to meet your needs.
• Customer support and communication: The information you provide when you contact our customer support team is used to answer your questions, resolve any problems you encounter and improve the quality of our assistance.
• Information and promotional communications: Where appropriate, with your consent, we may use your data to send you information messages, updates on our services or promotional communications. You may withdraw your consent at any time and object to receiving such messages.

All data processing is carried out in strict compliance with the principles of proportionality and necessity, in accordance with the laws governing the protection of personal data.

4. On what legal grounds is your data processed?

O-REASON processes users’ personal data on the basis of several legal bases established by the RGPD, in connection with the purposes mentioned:

• Contract performance (Article 6(1)(b) RGPD): The data collected in order to authenticate you via itsme®, manage your account, monitor your abstinence period and issue you with the necessary certificates, are processed in the context of the performance of the services agreed with you. Without this processing, it would be impossible for us to provide you with the functionalities of the Application and to respond to your requests.
• Legitimate interest (Article 6(1)(f) RGPD): The analysis of usage data, technical maintenance, continuous improvement of the Application and development of new features are based on our legitimate interest in ensuring an optimal, safe and high-performance experience for all our users.
• Consent (Article 6(1)(a) GDPR): If you choose to receive promotional or informational communications, we will rely on your consent, which you may withdraw at any time.
• Legal obligations (Article 6(1)(c) RGPD): In certain cases, we may be required to retain or disclose certain data in order to comply with our legal or regulatory obligations (for example, in the event of a request from a competent authority).Each category of data processing is strictly aligned with the requirements of the RGPD, ensuring that your data is processed lawfully and transparently for specific and legitimate purposes.

5. To whom is your data transferred?

As part of the provision, maintenance and improvement of the O-REASON Application, some of your personal data may be transmitted to the following third parties, in compliance with the purposes and legal bases described above:

• Technical and hosting service providers: We use service providers specialized in hosting (OVH), server maintenance, technical support and IT security. These service providers only have access to your data to the extent necessary to perform the services entrusted to them, and are subject to strict contractual obligations in terms of confidentiality and data protection.
• Providers of authentication solutions (itsme®): Connecting to the Application via itsme® involves communicating the information necessary to verify your identity. This information is protected by the security and confidentiality protocols implemented by itsme®, in accordance with applicable regulations.
• Legal authorities: In certain cases, O-REASON may be required to communicate certain personal data to judicial or administrative authorities in compliance with applicable laws and regulations. Such communication will only take place upon valid request from a competent authority and within the defined legal framework.

Apart from these cases, O-REASON does not sell, rent or disclose your personal data to third parties without your prior consent. The transfer of data outside the European Economic Area, if it takes place, will be framed by appropriate safeguards (standard contractual clauses, adequacy decisions or other mechanisms provided for by the RGPD) in order to ensure a level of protection that complies with legal requirements.

6. How is your data stored and protected?

O-REASON takes the security of your personal data very seriously. We store collected data on secure servers, located in controlled facilities. Data may be stored and processed in one or more data centers located in the European Economic Area (EEA) or in other locations complying with data protection standards.

To protect your personal data against unauthorized access, disclosure, alteration or destruction, O-REASON implements advanced technical and organizational security measures, including:

Sensitive data, such as payment information and personal identifiers, are encrypted during transmission and storage.

Access to your personal data is strictly limited to O-REASON employees and service providers who need to know this information in order to provide, operate, develop or improve our services.

Regular audits are carried out to assess and improve the security of our IT systems.

O-REASON teams receive ongoing training on best practices in data protection and IT security.

In the event of a data breach, we have an internal incident procedure to minimize the impact and inform users and the competent authorities, in accordance with current regulations.

Your personal data is kept only for as long as is necessary for the purposes for which it was collected, in accordance with our data retention policy and legal requirements. Once these purposes have been fulfilled or these periods have expired, your data is either deleted or anonymized.

O-REASON is committed to regularly evaluating and updating its security practices to adapt to new threats and security standards.

7. How long is your data stored?

O-REASON retains your personal data for the period strictly necessary for the purposes for which it was collected, and in compliance with the legal and regulatory provisions in force. Retention periods may vary depending on the nature of the data and the purpose for which it was collected:

• Account management and abstinence monitoring: The data required for authentication, account management and abstinence monitoring is retained for as long as your account remains active. If you decide to close your account, your data will be deleted or anonymized within a reasonable period of time, unless a legal obligation requires longer retention.
• Issuing certificates: The information required to issue and keep your certificates is kept for the time needed to issue them and, where applicable, to respond to any requests for verification or legal obligations.
• Application usage and improvement data: Technical and statistical data collected for the purpose of improving the service and developing new functionalities is kept for a period proportionate to this objective, generally from a few months to a maximum of 3 years, after which it is deleted or rendered anonymous.

• Customer support and communication: Information exchanged with support is kept for the time required to process your request and for a reasonable period after the file has been closed, in order to improve the quality of our service, then deleted or anonymized.
• Legal obligations: Certain data may be retained for longer periods to meet legal, regulatory or fiscal obligations, or in the event of litigation, in accordance with applicable legal provisions.

Once the retention periods have expired, O-REASON undertakes to delete or anonymize your data, ensuring that no information is retained beyond what is strictly necessary.

8. What are your rights?

• Rights of access, rectification and deletion:

Users of O-REASON have the right to access, modify or delete their personal data. To do so, they may contact O-REASON by e-mail at info@o-reason.com, providing proof of identity.

• Right to information:

Following a request, O-REASON will provide information on the purposes of data processing, the categories of data concerned, the recipients of the data, the data retention period, the rights relating to data processing, and the right to lodge a complaint with a supervisory authority.

• Right of opposition and limitation:

Users may object to the use of their personal data or request that their processing be restricted. They may exercise these rights by contacting O-REASON by e-mail, providing proof of identity.

• Right to data portability:

Users have the right to receive their personal data in a transferable format and to transmit it to another data controller, if technically possible.

• Right to complain:

In the event of non-compliance with the RGPD, Customers or Users have the right to lodge a complaint with the Belgian Data Protection Authority

(https://www.autoriteprotectiondonnees.be/).

9. Cookies

O-REASON uses cookies to record navigation information on its website. Users can manage their cookie settings via their browser.

10. Applicable law and jurisdiction

This privacy policy is governed by Belgian law and any disputes will be settled by the courts of the judicial district of Namur. For online consumer disputes, there is a European dispute resolution platform(https://ec.europa.eu/consumers/odr).