Thales Privacy Policy for “Thales Biometric Data Collection Campaign” Mobile Application

1. What personal data do we collect and process?

Thales may process the following personal data when you use the Application:

• Personal Information: face videos and images.
• Information about the device you are using to access the Application, depending on the device and its settings, which may include:
  • Type of device
  • Device operating system
  • Device camera configuration (for example supported resolutions)
  • Application info and performance, crash logs, diagnostics, other application performance data

2. What are the purposes for processing your personal data?

Your data may be used for the following purposes:

• Internal research & development including machine learning, improvement of Thales products and services, product validation and performance testing within the context of the Project

3. What is the legal basis for the processing of your personal data?

The legal basis for the processing of your personal data is the End-User License Agreement to which you are party since you downloaded the Application and the consent form you signed with one Thales entity related to the Biometric data collection campaign for this purpose.

4. How long do we keep your personal data?

Your personal data will be kept for a period of five (5) years from the date your personal data was collected.

5. Who receives your personal data?

Recipients of all or part of your personal data may include:

• Personnel of THALES
• Thales entities listed in the consent form you signed and other entities of its group in charge of administration, supervision, and management of THALES’ mobile application products and services
• Personnel of third parties providing services to THALES, particularly hosting and maintenance services of its information systems

When your personal data is transferred by a Thales company established in the European Economic Area (EEA) or the United Kingdom (UK) to a Thales company outside these areas in a country without an adequacy decision, this transfer is based on the Binding Corporate Rules (BCR) adopted by Thales.

Thanks to the Thales BCR, wherever your personal data is processed within the Thales Group, it benefits from the same standard of protection. You can access the Thales BCR here.

When your personal data is transferred by a Thales company established in the EEA to a third-party outside the EEA in a country without adequacy, Thales relies on Standard Contractual Clauses (SCC) adopted by the European Commission. You can obtain a copy of the SCC signed by Thales by making a “Personal data protection” request here.

When your personal data is transferred by a Thales company established in the UK to a third-party outside the UK in a country without adequacy, Thales relies on the International Data Transfer Agreement (IDTA) or the International Data Transfer Addendum to the SCC issued by the Information Commissioner’s Office.

6. What security measures are in place to protect your data?

Thales implements technical, organizational, and contractual security measures necessary to protect your personal data against accidental or unlawful destruction, loss, alteration, disclosure, or unauthorized access.

7. What are your rights concerning your personal data?

You have the right to:

• Access your personal data
• Request rectification or deletion of your personal data
• Request restriction of the processing of your personal data
• Receive your personal data in a structured and standard format that you provided to Thales and which Thales processes by automated means

For any request or complaint, please contact:

• Email: support.digital.id.wallet.demo@thalesgroup.com
• Data Protection Officer: dataprotection@thalesgroup.com

You also have the right to lodge a complaint with the competent data protection authority.

8. Update of the Thales EUDIW LSP Wallet Privacy Policy

This notice is updated regularly to take into account technological innovations as well as legislative and regulatory changes.

Date of last revision: October 2025