1. Who are we?

This policy applies to the digital services operated by:

• BePark SA — a public limited company under Belgian law, company number BE 0 661 532 170, registered at Rue du Mail 50, 1050 Brussels (Belgium), data controller for Belgian and Luxembourg users ;
• BePark SAS — a simplified joint-stock company under French law, data controller for French users.

Hereinafter collectively referred to as "BePark", "we" or "our".

2. What are cookies and trackers?

A "cookie" is a small text file placed on your web browser when you visit a website. It stores information about your visit (language, preferences, session).

A "tracker" is a broader technology that encompasses, in addition to cookies, mobile device identifiers (Advertising ID on Android, IDFA on iOS), SDKs (software development kits) integrated into our mobile application, and any other method used to collect information about your use of our services.

In accordance with Regulation (EU) 2016/679 (GDPR) and the ePrivacy rules transposed into Belgian law (Act of 13 December 2022) and French law (Data Protection Act and ePrivacy Directive), we distinguish two categories of trackers:

• Strictly necessary trackers, placed without prior consent as they are essential for the operation of the service or the performance of the contract ;
• Marketing trackers, placed only after obtaining your free, informed, specific and unambiguous consent.

3. Which trackers do we use?

3.1 Essential trackers — no consent required

These trackers are strictly necessary for the operation of the application and the performance of your contract with BePark. They cannot be refused without making the service unusable.

Tracker / cookie name	Provider	Platform	Purpose	Duration	Legal basis
Firebase Authentication Token	Google (Firebase)	iOS, Android	Session management and user authentication in the application	Session duration + refresh token (configurable)	Performance of contract (Art. 6.1.b GDPR)
Firebase Crashlytics SDK	Google (Firebase)	iOS, Android	Automatic detection and reporting of application crashes to ensure service quality	Until app uninstall	Legitimate interest (Art. 6.1.f GDPR)
Firebase Cloud Messaging Token — Transactional notifications	Google (Firebase)	iOS, Android	Sending essential push notifications: booking confirmation, reminders, payment or expiry alerts	Until uninstall or revocation of system permission	Performance of contract (Art. 6.1.b GDPR)
Adyen SDK (card payment)	Adyen N.V.	iOS, Android, Web	Secure processing of online card payments and fraud prevention	Duration of transaction + legal retention (7 years)	Performance of contract (Art. 6.1.b GDPR)
GoCardless SDK (bank debit)	GoCardless Ltd	iOS, Android, Web	Secure processing of bank direct debits (SEPA Direct Debit) and verification of bank details	Duration of direct debit mandate + legal retention (7 years)	Performance of contract (Art. 6.1.b GDPR)
Session cookie (_session)	BePark	Web	Maintaining the authenticated browsing session on the site	Session (expires on browser close)	Performance of contract (Art. 6.1.b GDPR)

3.2 Marketing trackers — subject to your consent

These trackers are only activated after your explicit consent. You may accept or refuse each category independently, and withdraw your consent at any time (see section 4).

Tracker / cookie name	Provider	Platform	Purpose	Duration	Legal basis
Firebase Analytics SDK	Google (Firebase)	iOS, Android	Audience measurement and analysis of user behaviour in the application (screens visited, actions performed, conversion funnels)	Until uninstall or consent withdrawal	Consent (Art. 6.1.a GDPR)
_ga	Google Analytics 4	Web	Web audience measurement, distinguishing and counting user sessions	2 years	Consent (Art. 6.1.a GDPR)
_gid	Google Analytics 4	Web	Web audience measurement, distinguishing sessions over a 24-hour period	24 hours	Consent (Art. 6.1.a GDPR)
_ga_[ID]	Google Analytics 4	Web	Persistence of the Google Analytics 4 session state	2 years	Consent (Art. 6.1.a GDPR)
Google Ads / Firebase Ads SDK	Google LLC	iOS, Android, Web	Advertising retargeting and conversion measurement from Google Ads campaigns	90 days	Consent (Art. 6.1.a GDPR)
Firebase Cloud Messaging Token — Marketing notifications	Google (Firebase)	iOS, Android	Sending marketing communications, promotions, special offers and re-engagement campaigns	Until uninstall or consent withdrawal	Consent (Art. 6.1.a GDPR)
Typeform	Typeform S.L.	iOS, Android, Web	Running satisfaction surveys, polls and user research forms	Duration of survey + max. 1 year	Consent (Art. 6.1.a GDPR)

4. How to manage your preferences?

4.1 In the mobile application (iOS and Android)

On your first use of the application, a consent screen allows you to accept or refuse marketing trackers. You can change this choice at any time from:

• Application Settings → Privacy → Tracker management

For push notifications, you can also manage permissions directly from your device system settings:

• iOS: Settings → Notifications → BePark
• Android: Settings → Applications → BePark → Notifications

4.2 On our website (bepark.eu)

A consent banner (CMP) is displayed on your first visit. You may:

• Accept or refuse all marketing cookies in one click ;
• Change your choices at any time via the "Manage my cookies" link in your account area.

You may also control cookies via your browser settings. Please note, however, that disabling certain cookies may affect the functioning of the site.

4.3 Refusing Google ad personalisation

Google allows you to control ad personalisation via your Google account or via https://adssettings.google.com. You may also use the Google Analytics Opt-out browser extension available at https://tools.google.com/dlpage/gaoptout.

5. Data transfers outside the European Union

Some of our service providers are established outside the European Union. In such cases, BePark ensures that appropriate safeguards govern these transfers, in accordance with Articles 44 to 49 of the GDPR.

Sub-processor	Country	Safeguards
Google LLC (Firebase, Analytics, Ads)	United States	Standard Contractual Clauses (SCCs) adopted by the European Commission — see https://business.safety.google/gdpr
Adyen N.V.	Netherlands (EU)	Processing within the European Economic Area — no transfer outside the EU
GoCardless Ltd	United Kingdom	European Commission adequacy decision for the United Kingdom (June 2021) — see https://gocardless.com/legal/privacy
Typeform S.L.	Spain (EU)	Processing within the European Economic Area — no transfer outside the EU

6. Retention periods

The retention periods applicable to each tracker are indicated in the tables above. In general:

• Essential trackers are retained for the time strictly necessary for the performance of the service.
• Marketing trackers are retained until the withdrawal of your consent or, at the latest, 13 months after their placement (CNIL and GBA recommendation).
• Mobile device identifiers may be reset at any time from your device's privacy settings.

7. Amendments to this policy

BePark reserves the right to amend this policy at any time, in particular in the event of legislative or regulatory developments, or the addition of new trackers. Any material amendment will be notified via the application or by email at least 30 days before it comes into effect.

The current version is always accessible from the application settings and from the footer of bepark.eu. The update date appears at the top of the document.

8. Contact

For any questions regarding this policy or to exercise your rights (access, rectification, erasure, objection, portability), please contact us at:

BePark SA / BePark SAS
Email: info@bepark.eu

You also have the right to lodge a complaint with the competent data protection authority:

• Belgium: Data Protection Authority (APD/GBA) — https://www.dataprotectionauthority.be
• France: Commission nationale de l'informatique et des libertés (CNIL) — https://www.cnil.fr
• Luxembourg: Commission nationale pour la protection des données (CNPD) — https://cnpd.public.lu