GENERAL TERMS OF SERVICE AND USE (B2B)

GINI: MyTraffic AI Assistant

Version 1.1 – Date: 05/01/2026

1. Legal Notice

MYTRAFFIC SAS
12 rue Vivienne (Lot 3), 75002 Paris, France
SIRET: 814 849 113 00026
Support email: support@mytraffic.fr

2. Preamble: MyTraffic and the Service

MyTraffic develops analysis and mapping solutions for professionals, providing access to indicators and analyses relating in particular to footfall, commercial environments, area dynamics, and decision support for location strategy.

GINI is a conversational AI service integrated into the MyTraffic ecosystem. Authorized Users submit Prompts and receive Outputs (responses, recommendations, summaries, tables).

The Outputs are intended as decision-support tools only and do not constitute professional advice nor a guarantee of performance.

3. Definitions

For the purposes of these General Terms of Service and Use (“GTSU”), terms beginning with a capital letter have the following meanings:

“Order Form / Quotation”: any contractual document or equivalent medium (including online subscription, pricing plan, administration interface, or specific terms accepted electronically) specifying, depending on the applicable offer, the scope of the Service, duration, features, usage quotas, price, and, where applicable, API access conditions.

“Client”: any legal or natural person acting in a professional capacity who has subscribed to the Service.

“Credits”: a unit of consumption of the Service, constituting a Quota within the meaning of these terms.

“Authorized User”: any person authorized by the Client to access the Service via an account.

“Account”: an account enabling access to the Service, created for the Client and/or its Authorized Users.

“Billing Period”: a monthly or annual period depending on the subscribed offer, as indicated at the time of subscription via the Service Interface and/or the Order Form / Quotation.

“Service”: the MyTraffic web application accessible via a browser; API access is available only if expressly provided for in the Order Form / Quotation.

“Service Interface”: the application interface (including dashboards and management screens) enabling the Client to view or manage, depending on the subscribed offer, the Service’s features, quotas, Authorized Users, and settings.

“Organization”: the contractual “Client” entity attached to an Account, within which Authorized Users, Seats, and Quotas are managed.

“Quotas”: usage limits applicable to the Service depending on the subscribed offer (for example number of requests, processing volume, credits, documents, Authorized Users, or any other usage metric specified in the Order Form / Quotation, pricing plan, and/or Service Interface).

“Prompt / Input”: any instruction, question, or request submitted to GINI by an Authorized User.

“Seat”: a named access right allowing one (1) natural person, an Authorized User, to access the Service on behalf of the Client.

“Output / Result”: any content generated by GINI in response to a Prompt and/or based on a Client Document (including recommendations, summaries, tables, analyses).

“Client Documents”: any files, documents, or data uploaded by the Client or an Authorized User into GINI (including PDFs, spreadsheets, or similar documents), where applicable.

“Client Content”: all Prompts, Client Documents, and content provided by the Client in connection with the Service.

“MyTraffic Data”: datasets, analytics, indicators, methodologies, models, content, and elements provided by MyTraffic independently of Client Content.

“Third-Party AI Providers” or “LLM Providers”: third-party service providers supplying models and/or APIs used to operate all or part of the Service (for example OpenAI, Anthropic, Grok, Google, etc.).

“DPA”: the Data Processing Agreement entered into between the Parties where applicable (Article 28 GDPR).

“AUP”: the Acceptable Use Policy set out in Appendix 2.

“Trust Center Summary”: an informational summary of security, privacy, and organizational measures set out in Appendix 5, provided for transparency purposes.

4. Contractual Documents – Order of Priority

The contractual documents governing the Service are, in descending order of priority:

the Order Form / Quotation and, where applicable, any specific terms accepted by the Parties;
the DPA and any amendment relating to the processing of personal data, where applicable;
the Evaluation / Trial Conditions, where applicable;
these GTSU and their appendices (including the AUP, AI Safety Exhibit, Security Incident Exhibit, and Trust Center Summary);
the pricing plan, the Service Interface, and any documentation or reference information made available by MyTraffic.

5. Purpose: Scope of the Service

5.1 These GTSU define the conditions for access to and use of GINI, as well as the rights and obligations of the Parties, including with respect to data, security, compliance, and liability.

5.2 The functional scope, activated modules, quotas, number of Authorized Users, and, where applicable, API access are defined in the Order Form, or failing that, in the applicable pricing plan and/or Service Interface.
The features, modules, and options available to the Client are strictly limited to those included in the subscribed offer as defined in the pricing plan, Service Interface, and/or Order Form / Quotation.
Unless expressly agreed in writing by MyTraffic, no feature not included in the subscribed offer (including “Enterprise” features) may be made available to the Client, whether free of charge or on a promotional basis.

5.3 Online offers, trial, and variable usage (Trial / Freemium / Usage-based).
When the Client subscribes to the Service through an online offer, trial, free (“freemium”), or usage-based offer, the available features, Quotas, technical limits, and any applicable restrictions (including rate limits, volumes, number of documents, and/or prioritization) are those (i) of the subscribed pricing plan and/or (ii) displayed in the Service Interface at the time of use.

5.3.1 In the event of Quota overruns or abnormal usage (including unusually high volumes of processed data or generated LLM tokens), MyTraffic may apply limitations, temporarily suspend certain features, or invite the Client to upgrade its offer.

5.3.2 Quotas and usage metrics may be reasonably adjusted in order to:
(i) prevent abuse;
(ii) protect the security, performance, or integrity of the Service;
(iii) account for technical or regulatory developments; or
(iv) reflect substantial cost changes related to third-party providers essential to the operation of the Service, including AI model providers.

Such adjustments shall not result in a substantial reduction of the Client’s rights under an ongoing Order Form, unless agreed by the Parties or unless MyTraffic implements reasonable alternative measures (such as a pricing adjustment, model change, or modification of the usage scope).

5.3.3 Credits

Volumes: Depending on the subscribed offer, the Service includes a volume of Credits corresponding to a reasonable use of the platform, taking into account the number of Seats and the type of usage. Credits and their method of consumption constitute Quotas. The Credit balance and consumption details are available in the Service Interface.

Credits are allocated and consumed per Billing Period (monthly or annual depending on the subscribed offer). Unless otherwise specified in the Order Form / Quotation, unused Credits at the end of a Billing Period are not carried over to the next period and are reset upon renewal of such period.

Monthly offers.Certain monthly offers may be limited to a specific number of Seats and specific Quotas, as displayed in the Service Interface at the time of subscription. These offers may not allow the purchase of additional Seats or options, unless the Client upgrades to an eligible offer.

Consumption principle. Starting a conversation or a workflow is free of charge. One (1) Credit is consumed when the processing volume (data scanned, retrieved, or generated) within the same conversation exceeds a threshold defined in the Service Interface. Beyond this threshold, additional Credits may be consumed in successive increments.

Reasonable use.In order to prevent abuse and protect the performance of the Service, a reasonable use limit is applied at the Organization level, including in particular: (i) an average cap of two million (2,000,000) LLM tokens generated per conversation; and (ii) a global threshold for the number of conversations and/or workflows initiated over a given period.

Beyond these safeguards, MyTraffic reserves the right to temporarily limit the Service, temporarily block the Account, suspend access, or invite the Client to upgrade its offer, in accordance with these GTSU.

No standalone purchase of Credits. Unless otherwise specified in the Order Form / Quotation, the Client may not purchase Credits (or a quota of conversations/workflows) on a standalone basis. Any additional usage needs requires an upgrade of the offer (change of package and/or addition of Seats) under the conditions available in the Service Interface and/or through MyTraffic’s sales teams.

5.4 Client Content May Include Business-Sensitive Information

The Client acknowledges and agrees that, depending on its use, Client Content provided to the Service (Inputs, uploaded documents, text, tables) may contain: (i) confidential information and/or trade secrets of the Client or third parties; and/or (ii) personal data.

The Client remains solely responsible for the selection of the information it transmits through the Service, in accordance with these GTSU, the AUP (Appendix 2), and, where applicable, the DPA.

5.5 File Uploads

The Service allows the Client and its Authorized Users to upload files and documents (including PDFs, spreadsheets, or similar documents) in order to enable their analysis, summarization, or processing by GINI as part of the Service’s functionalities.

6. Access to the Service; Accounts and Credentials

6.1 The Service is accessible via a personal username and password (or any other authentication mechanism offered). The Client is responsible for managing access rights and maintaining the confidentiality of credentials.

Any unauthorized use must be reported to MyTraffic without delay.

Usage limits, Quotas, and features applicable to the Service may be defined or specified in the Order Form, the subscribed pricing plan, and/or the Service Interface. In the event of exceeding such limits, MyTraffic may apply limitations, temporary suspensions, or propose an upgrade of the offer.

6.2 Seats (Authorized Users)

The number of Seats included in the offer corresponds to the maximum number of Authorized Users who may access the Service simultaneously or actively within the Organization.

The applicable number of Seats, prices, billing terms, Quotas, and usage limits (including Seats and Credits) are those indicated in the pricing plan, the Service Interface, and/or the Order Form / Quotation.

Credential sharing between multiple individuals is prohibited. In the event the number of Seats is exceeded, MyTraffic may limit access, suspend certain features, and/or invite the Client to upgrade its offer.

6.3 Financial Conditions:

Access to the Service is subject to payment of the plan or offer selected by the Client.

Prices, billing terms, applicable Quotas, and usage limits are those indicated, depending on the offer, in the Order Form / Quotation, the pricing plan, and/or the Service Interface at the time of subscription or use.

Unless otherwise stated, prices are expressed exclusive of taxes, which shall be invoiced in addition in accordance with applicable regulations.

Access to the Service is conditional upon payment of all amounts due. In the event of non-payment, MyTraffic reserves the right to limit or suspend access to the Service until payment is made.

Any changes to prices or Quotas shall not affect the conditions applicable during the term of an ongoing Order Form. For offers without an Order Form, changes shall apply prospectively and shall be communicated to the Client via the Service Interface or any other appropriate means.

Promotions and discounts.
Promotions, discounts, or pricing benefits may be offered for a limited duration and subject to eligibility conditions communicated at the time of the offer (event, early adopters, end-of-period campaigns, etc.). Unless expressly stated otherwise, promotions are not cumulative and apply only for the indicated period; upon expiry, the then-current standard pricing shall apply.

Pricing plan changes.
Changes to the pricing plan apply to new subscriptions, renewals requiring a new subscription, and upgrades performed after the effective date of such changes. Ongoing subscriptions remain governed by the conditions applicable at the time of subscription, unless otherwise agreed or unless a migration is proposed by MyTraffic.

7. Conditions of Use: AUP (Summary)

The Client undertakes to comply with Appendix 2 (Acceptable Use Policy – AUP). In particular, the following uses are prohibited:

illegal activities, fraud, or discrimination;
large-scale data extraction, scraping, or abusive automation;
reverse engineering, circumvention of Quotas or security measures;
attempts at prompt injection, jailbreak, or data exfiltration;
uploading unlawful content or content infringing third-party rights;
collection or processing of unauthorized sensitive data and uploading confidential information of third parties (including trade secrets) without authorization or in breach of a confidentiality obligation.
MyTraffic may suspend or limit access to the Service in the event of abuse, security risk, or non-compliance with these GTSU and/or the AUP.

8. AI-Specific Provisions (Professional-Grade Approach)

8.1 Transparency

The Client acknowledges that GINI incorporates artificial intelligence functionalities and that Users interact, in whole or in part, with an automated system.

8.1.1 Information and Display Obligation

MyTraffic shall implement reasonable means to ensure that the Service displays, at the latest upon an Authorized User’s first interaction with GINI and in a manner that remains easily accessible during use, a notice indicating that the User is interacting with an artificial intelligence system.

The Client, in turn, undertakes to inform its Authorized Users (in particular through its internal policies and/or applicable terms of use) that they are interacting with an AI system and that Outputs are subject to the limitations described herein.

8.2 Probabilistic Nature – No Warranty

Outputs are probabilistic and may contain errors, omissions, approximations, or biases. MyTraffic does not warrant the accuracy, completeness, or fitness of Outputs for any specific purpose.

8.3 Decision Support – No Professional Advice

Outputs are provided for informational purposes only and constitute decision-support tools. They do not constitute professional advice (legal, financial, real estate, or otherwise).

8.3.1 Non-Deceptive Use and Contextualization of Outputs

The Client shall refrain from: (i) presenting Outputs as human-generated, certified, verified, or as personalized professional advice; (ii) substantially removing or obscuring warnings relating to the limitations of Outputs when communicated to third parties; and (iii) using Outputs as the sole basis for decisions likely to have significant impacts without human review in accordance with Article 8.4.

8.4 Human Review

The Client remains solely responsible for its use of Outputs and undertakes to implement a reasonable human review before any decision-making or implementation.

8.5 Sensitive Uses

The Client shall not use GINI to automate decisions producing significant legal effects on individuals without appropriate human supervision and without an adequate legal framework.

8.5.1 Change of Use Case / Regulatory Requalification

The Client undertakes to notify MyTraffic without delay if it intends to use the Service in a context likely to trigger enhanced regulatory obligations (in particular under European artificial intelligence regulations) or involving high-impact decisions concerning natural persons.

In such case, MyTraffic may, at its reasonable discretion:
(i) refuse the proposed use case;
(ii) suspend access to the Service for the relevant scope; and/or
(iii) propose additional contractual terms and compliance measures prior to any continued use.

User warning. The Client acknowledges that the Service is not intended for permanent document storage and undertakes to avoid uploading unnecessarily sensitive or confidential information, in accordance with the data minimization principle.

9. Data, Intellectual Property, and Licenses

9.1 MyTraffic Ownership

MyTraffic retains all intellectual property and/or exploitation rights in GINI, the documentation, and the MyTraffic Data. No transfer of ownership is granted.

9.2 License to Use MyTraffic Data

Subject to payment of all amounts due and compliance with these GTSU, MyTraffic grants the Client a license to access and use the MyTraffic Data that is:

strictly limited, non-exclusive, non-assignable, non-transferable, and non-sublicensable;
restricted to the Client’s internal use;
limited to the scope (modules, areas, Quotas, users) defined in the Order Form;
granted for the duration of the contract only.

Unless expressly agreed in writing by MyTraffic, the Client is prohibited from reselling, publishing, distributing, making available, granting access to, or otherwise exploiting the MyTraffic Data for the benefit of any third party (including affiliates, group companies, franchisees, partners, service providers, or advisors).

9.3 Prohibition on Reuse / Third-Party Tools / Training / Derivatives

Unless expressly agreed in writing by MyTraffic, the Client shall not:

integrate, synchronize, or import MyTraffic Data into third-party tools or platforms (including data warehouses/lakes, BI tools, indexing engines, analytics platforms, or AI tools) where such integration enables autonomous reuse of MyTraffic Data outside the Service;
train, retrain, fine-tune, evaluate, or improve any model or algorithm (including AI/ML, whether generative or not) using MyTraffic Data;
create, derive, commercialize, or make available indicators, scores, databases, products, or services that are substantially derived from MyTraffic Data, including through hybridization with third-party data;
reconstruct databases, circumvent Quotas, or perform any systematic extraction (scraping, crawling, abusive automation).

The obligations set out in Articles 9.2 and 9.3 shall survive termination of the contract.

9.4 Client Content

The Client retains ownership of its Client Content. The Client authorizes MyTraffic to host, process, reproduce, and analyze Client Content strictly for the purposes of providing the Service, ensuring security and anti-abuse measures, complying with legal obligations, and maintaining the Service.

9.5 Outputs

Subject to MyTraffic’s rights and third-party rights, the Client may use the Outputs for its internal needs. The Client acknowledges that similar Outputs may be generated for other users without this constituting a breach of confidentiality.

9.6 Client Content and Uploaded Files

The Client remains solely responsible for the Client Content provided to the Service, including files, documents, and data uploaded or entered via GINI.

The Client represents and warrants that it holds all necessary rights, authorizations, and legal bases to provide such Client Content, including where it contains confidential information, trade secrets, or personal data.

The Client undertakes to upload only information strictly necessary for the intended purpose (data minimization principle) and not to use the Service to process special categories of personal data within the meaning of the GDPR (including health, biometric, genetic data, political opinions, or religious beliefs), unless expressly agreed in writing by MyTraffic and subject to appropriate contractual safeguards, including a DPA and enhanced security measures.

MyTraffic processes Client Content exclusively for the purposes of providing the Service, in accordance with these GTSU, the AUP (Appendix 2), and, where applicable, the DPA.

10. Third-Party AI Providers (LLM Providers)

GINI may rely on Third-Party AI Providers to operate all or part of the Service. Client Content may be processed by such providers to the extent necessary for the provision of the Service, in accordance with the applicable confidentiality and security commitments.

An indicative list of subcontractors (LLM and/or cloud providers) is set out in Appendix 1. MyTraffic may update this list; in the event of a material change, MyTraffic shall notify the Client in accordance with the terms set out in the Order Form or, failing that, by any reasonable written means.

11. Trust & Security (Trust Center–Style Summary – MyTraffic)

11.1 Positioning

MyTraffic does not claim, under these GTSU, to hold any specific certification (such as SOC 2 or ISO 27001), unless expressly stated in a separate contractual document.
However, MyTraffic implements technical and organizational security measures proportionate to the identified risks, as described below.

11.2 Security Measures (Examples of Controls)

By way of illustration, MyTraffic implements the following measures, depending on the applicable technical scope:

data encryption at rest;
access controls and authorizations based on the “need-to-know” principle (least privilege / RBAC);
enhanced authentication mechanisms (MFA / 2FA) for sensitive access;
access logging and periodic access rights reviews;
data retention and deletion policies (lifecycle management), and legal hold mechanisms where applicable;
anti-abuse measures, including rate limiting, anomaly detection, and application-level security controls.

11.3 AI Traceability (Logs)

For security, support, abuse prevention, and incident investigation purposes, MyTraffic may retain logs associated with GINI interactions, including prompts, outputs, timestamps, Client/account identifiers, model versions, and technical metrics.

Retention periods. Unless otherwise specified in the Order Form or required by law, MyTraffic applies by default a retention period of ninety (90) days from the date of collection for traceability logs relating to the Service.

For certain offers or options (including “Enterprise” offers), an extended retention period of up to one (1) year may be agreed in the Order Form.

Logs may be subject to a legal hold where required by law or by a request from a competent authority. Upon expiry of the applicable retention periods, logs are deleted or anonymized in accordance with MyTraffic’s retention policy and, where applicable, the DPA.

11.4 AI Safeguards: MyTraffic implements reasonable safeguards, including basic prompt-injection prevention, output filtering, controls aimed at reducing the risk of unintended personal data exposure, and usage volume limitation mechanisms.

11.5 Incident Management

MyTraffic maintains incident management procedures. In the event of a security incident affecting the Service, MyTraffic shall inform the Client within a reasonable timeframe and shall cooperate in good faith to mitigate impacts.

Where personal data are processed on behalf of the Client (processor role), notification and assistance obligations are detailed in the DPA.

12. GDPR – Personal Data

The Client represents and warrants that it holds all necessary rights, authorizations, and legal bases to upload and process Client Content via GINI.

12.1 Processor Role

Where MyTraffic acts as a processor within the meaning of the GDPR, the Parties shall enter into a Data Processing Agreement (DPA specifying the instructions, security measures, subprocessors, transfers, retention periods, and deletion mechanisms.

12.2 DPA Required for Processing on Behalf of the Client

Where the Client uses the Service to process personal data through Client Content, MyTraffic acts as a processor within the meaning of the GDPR, and the Parties agree to implement a DPA (Article 28 GDPR).

Such DPA shall describe in particular the subject matter, duration, nature, and purpose of the processing, the types of personal data and categories of data subjects, the security measures, the list of onward subprocessors, and, where applicable, transfer mechanisms.

In the absence of a required DPA, MyTraffic may suspend the processing of Client Content containing personal data until compliance is achieved.

12.3 Processing of Personal Data via Uploaded Files

Where the Client uses the Service to upload, analyze, or process files or documents containing personal data, MyTraffic acts as a processor within the meaning of the GDPR.

In such case, the Parties agree to enter into a DPA compliant with Article 28 of the GDPR, prior to or concurrently with such processing.

Failing the implementation of a required DPA, MyTraffic reserves the right to suspend the processing of the relevant Client Content until compliance is restored.

13. Support, Maintenance, Availability

Support.
Support is available at support@mytraffic.fr, in accordance with the terms set out in the applicable Order Form. MyTraffic may temporarily interrupt the Service for scheduled or emergency maintenance.

Service Level Agreement (SLA).
Any service level commitments apply only if expressly provided for in an Order Form and/or an SLA appendix. Failing such provisions, no specific availability commitment is made.

14. Liability and Limitations

MyTraffic is bound by a best-efforts obligation (obligation de moyens).

Subject to mandatory statutory provisions, MyTraffic shall not be liable for any indirect, consequential, incidental, or special damages, including loss of profit, loss of data, loss of opportunity, or business interruption.

Liability cap. MyTraffic’s total aggregate liability in connection with the Service shall not exceed the total amount actually paid by the Client for the Service during the twelve (12) months preceding the event giving rise to the claim, except in cases of gross negligence (faute lourde), willful misconduct (dol), or bodily injury.

AI-specific clause : The Client remains solely responsible for verifying Outputs and for all decisions made on the basis thereof.

15. Suspension and Termination

MyTraffic may suspend access to the Service in the event of abuse, security risk, or breach of these GTSU and/or the AUP.

Either Party may terminate the Contract in the event of a material breach by the other Party that remains uncured within a reasonable period following written notice, in accordance with the terms set out in the Order Form or, failing that, within thirty (30) days.

16. End of Contract – Cessation of Use, Deletion/Return, Verification

16.1 Cessation of Use

Upon expiration or termination of the Contract, the Client shall:
(i) cease all access to and use of the Service; and
(ii) cease any use of the MyTraffic Data, unless otherwise provided for in the Contract (in particular, vested rights relating to expressly identified deliverables).

16.2 Deletion of MyTraffic Data

Within thirty (30) days following the end of the Contract, the Client shall delete or render unusable all copies of the MyTraffic Data in its possession or under its control, including extracts and exports insofar as they enable substantial reconstruction of the MyTraffic Data or independent use outside the Service.

This article does not require deletion of the Client’s internal documents (reports, presentations, decisions) that contain only aggregated results or Outputs that do not allow substantial reconstruction of the MyTraffic Data.

16.3 Deletion Certificate

Upon written request from MyTraffic, the Client shall provide a deletion certificate signed by a duly authorized representative within a reasonable timeframe.

16.4 Targeted Verification

In the event of a reasonable suspicion of non-compliance with the obligations set out in this article (in particular unauthorized use or retention of substantial extracts of the MyTraffic Data), MyTraffic may request a targeted verification.

Such verification shall take the form, at MyTraffic’s reasonable discretion, of:
(i) a compliance questionnaire and/or
(ii) limited, strictly necessary, and non-intrusive supporting evidence.

An on-site audit or audit by an independent third party may be requested only as a last resort, subject to reasonable prior notice, during business hours, and in compliance with confidentiality obligations.

16.5 Costs

The cost of any verification or audit shall be borne by MyTraffic, unless such verification or audit reveals a material breach by the Client, in which case the reasonable costs thereof may be invoiced to the Client.

16.6 Personal Data (Reminder)

Where applicable, deletion or return of personal data contained in Client Content is governed exclusively by the DPA.

17. Governing Law – Jurisdiction

These GTSU are governed by French law.

The competent courts shall be those of Paris, unless otherwise specified in the Order Form.

18. Confidentiality

Definition :

“Confidential Information” means any information disclosed by one Party to the other Party, in any form whatsoever, that is identified as confidential or that, by its nature, should reasonably be considered confidential, including without limitation MyTraffic Data, Client Content, specifications, technical data, pricing, roadmaps, code, and Outputs.

Exclusions:

Confidential Information does not include information that: (i) is or becomes public other than through a breach of this Contract; (ii) was lawfully known to the receiving Party prior to disclosure; (iii) is lawfully received from a third party without breach of a confidentiality obligation; or (iv) is independently developed by the receiving Party without use of the Confidential Information.

Obligations

The receiving Party undertakes to: (i) not disclose Confidential Information except to its employees, advisors, Affiliates, or subcontractors who have a strict need to know and are bound by confidentiality obligations at least equivalent to those set forth herein; (ii) use Confidential Information solely for the performance of the Contract; and (iii) protect Confidential Information using reasonable safeguards at least equivalent to those it applies to its own confidential information.

Required Disclosure: If the receiving Party is required by law, regulation, or court order to disclose Confidential Information, it shall, to the extent permitted by law, notify the disclosing Party in advance and reasonably cooperate to limit the scope of such disclosure.

Return or Destruction: Upon expiration or termination of the Contract, the receiving Party shall, at the disclosing Party’s option, return or destroy all Confidential Information within thirty (30) days and provide a written certification upon request. Copies required to be retained by law may be kept and shall remain subject to the confidentiality obligations set forth herein.

Term: Confidentiality obligations shall apply for the duration of the Contract and for five (5) years thereafter, except for trade secrets, which shall remain protected for as long as they retain their status as trade secrets.

Injunctive Relief: Any breach of confidentiality obligations may cause irreparable harm. Accordingly, the disclosing Party shall be entitled, in addition to damages, to seek injunctive or equitable relief without the need to post a bond.

Personal Data: Where Confidential Information includes personal data, the provisions of the DPA shall prevail in the event of any conflict.

19. Compliance (Sanctions, Export Controls, AML/CFT, Anti-Corruption)

Each Party undertakes to comply with all applicable laws and regulations, including without limitation those relating to economic sanctions, embargoes, export controls, anti-money laundering and counter-terrorist financing (AML/CFT), and anti-corruption laws (including, where applicable, the U.S. Foreign Corrupt Practices Act and the UK Bribery Act).

Upon reasonable request, the Client shall provide any necessary KYC/AML information and represents that neither it, nor its beneficial owners, nor any relevant Authorized User is listed on any applicable sanctions list.

MyTraffic reserves the right to modify this grid as part of the evolution of its offers. Any such changes shall apply to new subscriptions, upgrades, and renewals.

APPENDIX 0 — INCLUDED CREDITS GRID

1. Purpose

The purpose of this Appendix is to define, for GINI standard offers, the correspondence between the number of Seats subscribed by an Organization and the number of Credits included in the offer for the applicable period.

2. Included Credits Grid (per Organization)

Unless otherwise specified in an Order Form / Quotation, the included Credits are allocated as follows:

No of seats

CREDITS INCLUED

1 Seat

60 Credits

2 Seats

120 Credits

3 Seats

250 Credits

4 Seats

500 Credits

5 Seats

750 Credits

10 Seats

10 000 Credits

MyTraffic reserves the right to update this grid as part of the evolution of its offers. Any such changes shall apply to new subscriptions, upgrades, and renewals requiring a new subscription, unless otherwise specified in the applicable Order Form / Quotation.

APPENDIX 1 — Subprocessors (Indicative List)

LLM Providers (depending on the Service architecture): OpenAI, Anthropic, Grok, Google
Role: AI generation services.

Depending on technical configurations and availability, certain processing operations may be carried out within the European Union and/or outside the European Economic Area (EEA). Where transfers outside the EEA are required, they are governed by appropriate transfer mechanisms (including, where applicable, Standard Contractual Clauses and supplementary measures), in accordance with the DPA where applicable.

MyTraffic maintains an up-to-date list of subprocessors and shall inform the Client of any material changes in accordance with these GTSU and/or the DPA.

Upon the Client’s written request, MyTraffic shall provide the available information relating to the primary processing location per provider and the applicable transfer mechanisms.

APPENDIX 2 — Acceptable Use Policy (AUP)

Prohibited Uses

The following uses are strictly prohibited:

illegal activities, fraud, impersonation, discrimination, or harassment;
large-scale extraction, scraping, crawling, abusive automation, or circumvention of Quotas (including multiple accounts or scripts);
uploading, entering, or processing content that infringes third-party rights (including copyright or trademarks) or discloses third-party confidential information without authorization;
reverse engineering, attempts to access system prompts, or exfiltration of secrets or data;
prompt injection or jailbreak attempts intended to bypass safeguards or obtain internal information;
uploading unauthorized sensitive data;
automation of sensitive decisions without appropriate human supervision;
generation, dissemination, or facilitation of malware, phishing, spam, or any activity intended to compromise systems or accounts;
uploading sensitive data or special categories of personal data within the meaning of the GDPR (e.g., health, biometric, political opinions), unless expressly authorized in writing and governed by a DPA and appropriate security measures;
use intended to generate abnormally high volumes of LLM tokens or to artificially multiply conversations or workflows in order to circumvent Quotas.

Sanctions

In the event of a violation, MyTraffic may apply limitations, suspend access, or terminate the Contract.
Immediate measures may be taken where there is a security, compliance, or third-party rights risk.

MyTraffic may suspend access immediately in the event of a security, compliance, or third-party rights risk and shall notify the Client as soon as reasonably practicable of the general reasons for such action. Access may be restored if the violation is remedied, unless a continuing risk or legal obligation prevents reinstatement.

APPENDIX 3 — Security Incident Exhibit

1) Notification

MyTraffic shall notify the Client without undue delay after reasonable confirmation of a security incident impacting the Service.
Where the incident involves personal data processed on behalf of the Client, notification and assistance obligations shall be governed by the DPA (GDPR).

Notification shall occur once the incident is reasonably confirmed by MyTraffic and presents a significant impact on the confidentiality, integrity, or availability of the Service or the affected data.

2) Minimum Content of Notification

To the extent reasonably available at the time and permitted by legal, contractual, and security requirements, the notification shall include:

a description of the incident (nature, date, scope);
the types of data potentially affected;
the likely impact;
measures already taken;
recommendations for the Client;
next steps.

3) Communication Channel

Notification shall be sent by email to the security contact designated in the Order Form or, failing that, to the contractual contact.
MyTraffic contact: support@mytraffic.fr
Email subject: “Security Incident – GINI”

4) Update Frequency

MyTraffic shall provide reasonable updates proportionate to the severity of the incident (e.g., daily for critical incidents, weekly for major incidents).
A closing report may be provided upon reasonable request.

5) Cooperation

The Client shall reasonably cooperate with MyTraffic.
MyTraffic may implement protective measures as necessary, including credential resets, token revocation, or temporary suspension of access.

6) No Admission of Liability

Any notification or communication made pursuant to this Appendix shall not constitute an acknowledgment of fault, liability, or breach by MyTraffic.

APPENDIX 4 — AI Safety Exhibit

Authorized Use Cases

business decision support (including area analysis, document summarization, and generation of tables and insights)

Prohibited / Restricted Use Cases

automated sensitive decisions without appropriate human supervision;
data exfiltration;
any use in violation of the Acceptable Use Policy (AUP).

Controls

MyTraffic implements reasonable technical and organizational controls, including in particular:

rate limiting;
anomaly detection;
prompt-injection and jailbreak prevention;
output filtering;
measures aimed at reducing risks related to personal data (PII) exposure;
traceability and logging.

The controls and measures described above constitute reasonable technical and organizational measures intended to reduce the risks associated with use of the Service. They do not guarantee the complete absence of errors, bias, interruptions, or abusive use, nor do they guarantee any specific result.

Processes

limited red teaming exercises;
quality review procedures;
rollback and/or kill switch mechanisms in the event of a significant risk.

Change Management

Model and/or dataset versioning is implemented where reasonably possible.
Material changes are notified through release notes or equivalent communications.

Regulatory Qualification

The Service is designed and provided as a limited-risk artificial intelligence system within the meaning of applicable European regulations, subject to the Client’s compliance with the authorized use cases and the restrictions set forth herein and in the AUP.

Feedback

A support channel is available to report problematic Outputs or abusive use cases.

APPENDIX 5 — Trust Center Summary

This Appendix 5 constitutes an informational summary (“Trust Center Summary”) provided for transparency purposes only. In the event of any inconsistency, the GTSU, the applicable Order Form, and/or the DPA shall prevail.
The measures described herein may evolve in accordance with the Contract.

Security

encryption at rest where applicable, depending on components and offers;
role-based access control (RBAC) and least-privilege principles;
multi-factor authentication (MFA / 2FA) for sensitive and/or administrative access;
access logging and periodic access reviews;
anti-abuse measures.

Retention

GINI logs retained for 90 days (standard);
automatic deletion;
legal hold where applicable;
accelerated deletion available as an option and/or upon request, subject to legal obligations and legal hold requirements.

Subprocessors

AWS (primary hosting region as contractually agreed, where applicable);
LLM Providers (depending on Service architecture).

Where transfers outside the EEA are required, appropriate transfer mechanisms apply (including Standard Contractual Clauses).
Material changes to subprocessors are notified in accordance with the Contract and/or the DPA.

Incidents

notification without undue delay;
minimum information content;
proportionate updates;
cooperation with the Client.

Artificial Intelligence

transparency regarding AI use and limitations;
human review requirements;
AI safeguards;
prohibition of sensitive uses without appropriate supervision.

Privacy

DPA available (Article 28 GDPR);
data minimization;
deletion in accordance with the DPA and/or the Contract.

Contact

Support and security reporting: support@mytraffic.fr

APPENDIX 6 — Evaluation / Trial Conditions

6.1 Purpose

Where MyTraffic grants the Client access to the Service on a trial, evaluation, demonstration, or free basis (“Trial”), the Client may use the Service within the limits set out below and as displayed in the Service Interface.

6.2 Duration

The Trial is granted for a fixed period of fourteen (14) calendar days, unless expressly stated otherwise at the time of activation (via the website and/or the Service Interface). The Trial start date and end date are displayed in the Service Interface.

Unless expressly agreed otherwise by MyTraffic, the Client may benefit from a Trial and/or a free (“freemium”) offer only once every six (6) months following the end of the previous Trial or freemium period.

6.3 Access and Activation (Self-Service)

The Trial may be activated on a self-service basis via the MyTraffic website, without mandatory prior qualification. MyTraffic reserves the right to limit, suspend, or refuse access to the Trial in the event of abuse, fraud, or non-compliance with these GTSU and/or the AUP.

6.4 Scope / Quotas / Support

The features available during the Trial, as well as applicable Quotas and technical limits, are those displayed in the Service Interface at the time of use.

The Trial is provided “as is”, without warranty, without any service level commitment (SLA), and with limited support.

6.5 Continuity from Trial to Paid Offer (Account, Data, Configuration)

If the Client subscribes to a paid offer at the end of the Trial, the Client shall retain the same Account, as well as the settings, configurations, and data created during the Trial, subject to compliance with these GTSU and payment of the amounts due.

Such continuity is guaranteed provided that subscription to a paid offer occurs no later than seven (7) calendar days following the end of the Trial.

6.6 Pre-Expiration Notifications

Prior to the expiration of the Trial, the Client may receive informational notifications (by email and/or in-app) regarding the upcoming end of the Trial and subscription options.

6.7 End of Trial / Upgrade / Payment

At the end of the Trial, if the Client has not subscribed to a paid offer, access to Trial features shall be blocked and the Client shall be invited to subscribe to a paid offer.

No payment information is required to activate the Trial. Payment details are requested only at the time of subscription to a paid offer.

6.8 Subscription to a Paid Offer

Subscription to a paid offer may be completed:

(i) on a self-service basis via the Service Interface (in particular for the Pro package); or
(ii) through MyTraffic’s sales teams, depending on the selected package and the agreed commercial terms.