GENERAL TERMS OF SERVICE AND USE (B2B)

GINI: MyTraffic AI Assistant

Version 1.3 – Date: 20/04/2026

1. Legal Notice

MYTRAFFIC SAS

12 rue Vivienne (Lot 3), 75002 Paris, France

SIRET: 814 849 113 00026

Support email: support@mytraffic.fr

2. Preamble: MyTraffic and the Service

MyTraffic develops analysis and mapping solutions for professionals, providing access to indicators and analyses relating in particular to footfall, commercial environments, area dynamics, and decision support for location strategy.

GINI is a conversational AI service integrated into the MyTraffic ecosystem. Authorized Users submit Prompts and receive Outputs (responses, recommendations, summaries, tables).

The Outputs are intended as decision-support tools only and do not constitute professional advice nor a guarantee of performance.

3. Definitions

For the purposes of these General Terms of Service and Use (“GTSU”), terms beginning with a capital letter have the following meanings:

“Authorized User”: any person authorized by the Client to access the Service via an account.

“Account”: an account enabling access to the Service, created for the Client and/or its Authorized Users.

“Billing Period”: a monthly or annual period depending on the subscribed offer, as indicated at the time of subscription via the Service Interface and/or the Order Form / Quotation.

“Client” or “Customer”: any legal or natural person acting in a professional capacity who has subscribed to the Service.

“Client Documents”: any files, documents, or data uploaded by the Client or an Authorized User into GINI (including PDFs, spreadsheets, or similar documents), where applicable.

“Client Content”: all Prompts, Client Documents, and content provided by the Client in connection with the Service.

"Credits": a unit of consumption of the Service, constituting a Quota within the meaning of these terms. Credits apply solely to offers expressly designated as usage-capped, as specified 

in the applicable pricing plan and/or Service Interface. Unlimited plans do not operate on a Credit-based consumption model.

"Country Scope": the list and number of countries in respect of which the Client is authorised to use the Service, as specified in the Order Form / Quotation or, for self-serve offers, as selected by the Client at the time of subscription via the Service Interface. Country Scope constitutes a contractual parameter of the subscribed offer.  MyTraffic does not technically restrict access to countries beyond the contracted Country Scope at the platform level; compliance with the contracted Country Scope is the Client's sole responsibility and may be verified by MyTraffic at renewal

“DPA”: the Data Processing Agreement entered into between the Parties where applicable (Article 28 GDPR).

“MyTraffic Data”: datasets, analytics, indicators, methodologies, models, content, and elements provided by MyTraffic independently of Client Content.

“Organization”: the contractual “Client” entity attached to an Account, within which Authorized Users, Seats, and Quotas are managed.

“Output / Result”: any content generated by GINI in response to a Prompt and/or based on a Client Document (including recommendations, summaries, tables, analyses).

“Order Form / Quotation”: any contractual document or equivalent medium (including online subscription, pricing plan, administration interface, or specific terms accepted electronically) specifying, depending on the applicable offer, the scope of the Service, duration, features, usage quotas, price, and, where applicable, API access conditions.

"Package Restructuring": any modification by MyTraffic of the allocation of features, modules, or options across the available pricing plans, tiers, or packages, including without limitation the reallocation of a feature from one tier to a higher tier, the conversion of an included feature into a paid option, or the bundling or unbundling of features across offers. Package Restructuring does not include changes to Quotas (usage volumes), which are governed by the Credits and Quotas provisions herein.

“Prompt / Input”: any instruction, question, or request submitted to GINI by an Authorized User.

"Quotas": usage limits applicable to the Service depending on the subscribed offer (for example number of requests, processing volume, credits, documents, Authorized Users, number of countries, or any other usage metric specified in the Order Form / Quotation, pricing plan, and/or Service Interface).

“Service”: the MyTraffic web application accessible via a browser; API access is available only if expressly provided for in the Order Form / Quotation.

“Service Interface”: the application interface (including dashboards and management screens) enabling the Client to view or manage, depending on the subscribed offer, the Service’s features, quotas, Authorized Users, and settings.

“Seat”: a named access right allowing one (1) natural person, an Authorized User, to access the Service on behalf of the Client.

"Third-Party AI Providers" or "LLM Providers": third-party service providers involved in the operation of all or part of the Service, acting as sub-processors within the meaning of Article 28 GDPR. These include: (i) aggregation or routing layer providers (including OpenRouter, which routes requests to downstream model providers); and (ii) downstream model providers whose models are accessed via such aggregation layer (for example Anthropic, OpenAI, Mistral, Google, and any other provider listed in the applicable Trust Center documentation). The list of active sub-processors may evolve and is made available to the Client via the Trust Center or equivalent documentation.

“Trust Center Summary”: an informational summary of security, privacy, and organizational measures set out in Appendix 5, provided for transparency purposes.

4. Contractual Documents – Order of Priority

The contractual documents governing the Service are, in descending order of priority:

1. the Order Form / Quotation and, where applicable, any specific terms accepted by the Parties;
2. the DPA and any amendment relating to the processing of personal data, where applicable;
3. the Evaluation / Trial Conditions, where applicable;
4. these GTSU and their appendices (including the AUP(Acceptable Use Policy set out in Appendix 2), AI Safety Exhibit, Security Incident Exhibit, and Trust Center Summary);
5. the pricing plan, the Service Interface, and any documentation or reference information made available by MyTraffic.

5. Purpose: Scope of the Service

5.1 These GTSU define the conditions for access to and use of GINI, as well as the rights and obligations of the Parties, including with respect to data, security, compliance, and liability.

5.2 The functional scope, activated modules, quotas, number of Authorized Users, and, where applicable, API access are defined in the Order Form, or failing that, in the applicable pricing plan and/or Service Interface. The features, modules, and options available to the Client at any given time are those included in the subscribed offer as defined in the then-current pricing plan, Service Interface, and/or Order Form / Quotation. The Client acknowledges that the functional scope of each pricing plan may evolve over time, including through Package Restructuring as defined in the Definitions section, in accordance with the conditions set out in the Package Restructuring section herein. Unless expressly agreed in writing by MyTraffic, no feature not included in the subscribed offer (including "Enterprise" features) may be made available to the Client, whether free of charge or on a promotional basis.

The Client acknowledges that the operation of the Service involves the transmission of Prompts, conversation history, and, where applicable, Client Documents to Third-Party AI Providers acting as sub-processors, including via an AI model aggregation layer. Such transmissions may involve providers located outside the European Economic Area, in which case appropriate transfer mechanisms (including Standard Contractual Clauses) apply. MyTraffic implements technical measures to minimise the personal data exposed in such transmissions, including Zero Data Retention (ZDR) configurations where available and applicable.

5.3 Online offers, trial, and variable usage (Trial / Freemium / Usage-based).

‍When the Client subscribes to the Service through an online offer, trial, free (“freemium”), or usage-based offer, the available features, Quotas, technical limits, and any applicable restrictions (including rate limits, volumes, number of documents, and/or prioritization) are those (i) of the subscribed pricing plan and/or (ii) displayed in the Service Interface at the time of use.

5.3.1 In the event of Quota overruns or abnormal usage (including unusually high volumes of processed data or generated LLM tokens), MyTraffic may apply limitations, temporarily suspend certain features, or invite the Client to upgrade its offer.

5.3.2 Quotas and usage metrics may be reasonably adjusted in order to:

1. prevent abuse;
2. protect the security, performance, or integrity of the Service;
3. account for technical or regulatory developments; or
4. reflect substantial cost changes related to third-party providers essential to the operation of the Service, including AI model providers.

5.3.3 Such adjustments to Quotas (as defined herein, i.e. usage volumes, rate limits, and processing thresholds) shall not result in a substantial reduction of the Client's usage volumes under an ongoing Order Form, unless agreed by the Parties or unless MyTraffic implements reasonable alternative measures (such as a pricing adjustment, model change, or modification of the usage scope). For the avoidance of doubt, the allocation of features and modules across pricing plans is governed exclusively by the Package Restructuring section herein and is not subject to the limitations set out in the Credits section herein.

5.3.4 Country Scope: self-serve offers. For self-serve offers, the Client selects at the time of subscription the country in respect of which it intends to use the Service ("Country Scope"), as displayed in the Service Interface. The Country Scope constitutes a contractual parameter of the subscribed offer. MyTraffic does not technically restrict access to countries beyond the contracted Country Scope at the platform level; compliance with the contracted Country Scope is the Client's sole responsibility and may be verified by MyTraffic at renewal.

5.3.3 Credits

Volumes. For capped-usage plans, the Service includes a fixed number of Credits per Billing Period, as specified in the applicable pricing plan and/or Service Interface. One (1) Credit is consumed per conversation or workflow initiated. Additional Credits may be consumed where the data volume processed within a single conversation exceeds the threshold defined in the Service Interface. Unused Credits at the end of a Billing Period are not carried over and are reset upon renewal.

Monthly offers. Certain monthly offers may be limited to a specific number of Seats and specific Quotas, as displayed in the Service Interface at the time of subscription. These offers may not allow the purchase of additional Seats or options, unless the Client upgrades to an eligible offer.

Reasonable use. In order to prevent abuse and protect the performance of the Service, a reasonable use limit is applied at the Organization level, including in particular: (i) an average cap of two million (2,000,000) LLM tokens generated per conversation; and (ii) a global threshold for the number of conversations and/or workflows initiated over a given period. The foregoing reasonable use limits apply to all plans, including unlimited plans, as anti-abuse measures and not as Quota restrictions

Beyond these safeguards, MyTraffic reserves the right to temporarily limit the Service, temporarily block the Account, suspend access, or invite the Client to upgrade its offer, in accordance with these GTSU.

No standalone purchase of Credits. Unless otherwise specified in the Order Form / Quotation, the Client may not purchase Credits (or a quota of conversations/workflows) on a standalone basis. Any additional usage needs requires an upgrade of the offer (change of package and/or addition of Seats) under the conditions available in the Service Interface and/or through MyTraffic’s sales teams.

‍5.4 Client Content May Include Business-Sensitive Information

The Client acknowledges and agrees that, depending on its use, Client Content provided to the Service (Inputs, uploaded documents, text, tables) may contain: (i) confidential information and/or trade secrets of the Client or third parties; and/or (ii) personal data.

The Client remains solely responsible for the selection of the information it transmits through the Service, in accordance with these GTSU, the AUP (Appendix 2), and, where applicable, the DPA.

5.5 File Uploads

The Service allows the Client and its Authorized Users to upload files and documents (including PDFs, spreadsheets, or similar documents) in order to enable their analysis, summarization, or processing by GINI as part of the Service’s functionalities.

5.5.1 Data Retention within the Service. The following retention periods apply to data processed within the Service:

5.5.2. Prompts and conversation history: retained for the duration of the active session and for a period not exceeding twelve (12) months thereafter, subject to automatic purge currently in implementation; as indicated in the Service Interface and/or the applicable DPA;

5.5.3 Uploaded Documents (Client Documents): retained for the duration of the processing session only; immediate deletion following processing is implemented where technically feasible;

5.5.4 Technical metadata (timestamps, model identifiers, token counts): retained for a period not exceeding ninety (90) days for security and traceability purposes.

5.5.5 Data transmitted to Third-Party AI Providers: MyTraffic implements contractual safeguards with each provider receiving Customer Content, including Data Processing Agreements incorporating Standard Contractual Clauses (SCCs 2021 Module 2) pursuant to Article 28 GDPR. Zero Data Retention (ZDR) configuration is implemented where available and applicable as a supplementary technical measure. MyTraffic does not represent that ZDR is activated for all providers at all times; contractual safeguards constitute the primary compliance mechanism.

The Client may request accelerated deletion of its data by contacting MyTraffic at support@mytraffic.fr, subject to applicable legal hold requirements.

5.6 Package Restructuring

5.6.1 Right to Restructure. MyTraffic reserves the right to modify, at any time, the allocation of features, modules, and options across its pricing plans, tiers, and packages ("Package Restructuring"), including by: (i) reallocating a feature from one pricing plan to a higher-tier plan; (ii) converting an included feature into a separately priced option or add-on; (iii) bundling or unbundling features across offers; or (iv) creating new feature tiers or categories or (v) modifying the countries available within a given pricing tier or plan, including the addition or removal of countries from a Geo Package.

5.6.2 Application to Existing Clients. Package Restructuring shall apply as follows: (a) for subscriptions governed by an Order Form with a fixed commitment period: at the end of the current commitment period, upon renewal; (b) for month-to-month subscriptions or subscriptions without an Order Form: upon the next Billing Period following the expiry of the notice period set out in the Financial Conditions section herein; (c) for new subscriptions: immediately.

5.6.3 Impact on Access. In the event that a feature previously included in the Client's subscribed offer is reallocated to a higher-tier plan or converted into a paid option as a result of a Package Restructuring, the Client's access to such feature shall be maintained until the end of the applicable Billing Period or commitment period. Thereafter, continued access to the reallocated feature shall require the Client to upgrade to the applicable plan or subscribe to the relevant option at the then-current pricing.

5.6.4 No Acquired Right. The Client acknowledges that the inclusion of a feature in a given pricing plan at the time of subscription does not create an acquired right (droit acquis) to the perpetual inclusion of such feature in such plan. The allocation of features across plans is determined by MyTraffic at its reasonable discretion, subject to the notification and transition mechanisms set out herein.

5.6.5 Good Faith. MyTraffic undertakes to exercise its Package Restructuring rights in good faith and shall not use Package Restructuring solely or primarily for the purpose of circumventing its obligations under an ongoing Order Form.

5.7 Package Restructuring — Notification and Acceptance

‍5.7.1 Notification. In the event of a Package Restructuring, MyTraffic shall notify the Client at least thirty (30) days prior to the effective date of such change. Notification shall be provided via the Service Interface and/or by email to the contractual contact designated by the Client.

‍5.7.2 Content of Notification. The notification shall include: (i) a description of the features affected by the Package Restructuring; (ii) the effective date of the change; (iii) the upgrade path or option required to maintain access to the affected features; and (iv) the applicable pricing for such upgrade or option.

5.7.3 Deemed Acceptance. If the Client does not object in writing within fifteen (15) calendar days of the notification, the Package Restructuring shall be deemed accepted by the Client. The Client's continued use of the Service after the effective date of the Package Restructuring shall constitute acceptance of the new feature allocation.

5.7.4 Objection and Termination Right. If the Client objects in writing within the fifteen (15) day period and no agreement is reached between the Parties within a further fifteen (15) calendar days, the Client may terminate the affected subscription at the end of the current Billing Period or commitment period, without penalty and without early termination fees. Such termination right constitutes the Client's sole and exclusive remedy with respect to the Package Restructuring.

5.7.5 Transition Period. During the period between the notification and the effective date of the Package Restructuring, the Client shall retain access to the affected features under the existing terms of its subscription. No access shall be removed prior to the expiry of the applicable Billing Period or commitment period.

6. Access to the Service; Accounts and Credentials

6.1 The Service is accessible via a personal username and password (or any other authentication mechanism offered). The Client is responsible for managing access rights and maintaining the confidentiality of credentials.

Any unauthorized use must be reported to MyTraffic without delay.

Usage limits, Quotas, and features applicable to the Service may be defined or specified in the Order Form, the subscribed pricing plan, and/or the Service Interface. In the event of exceeding such limits, MyTraffic may apply limitations, temporary suspensions, or propose an upgrade of the offer.

‍6.2 Seats (Authorized Users)

The number of Seats included in the offer corresponds to the maximum number of Authorized Users who may access the Service simultaneously or actively within the Organization.

The applicable number of Seats, prices, billing terms, Quotas, and usage limits (including Seats and Credits) are those indicated in the pricing plan, the Service Interface, and/or the Order Form / Quotation.

Credential sharing between multiple individuals is prohibited. In the event the number of Seats is exceeded, MyTraffic may limit access, suspend certain features, and/or invite the Client to upgrade its offer.

6.3 Financial Conditions:

Access to the Service is subject to payment of the plan or offer selected by the Client.

Prices, billing terms, applicable Quotas, and usage limits are those indicated, depending on the offer, in the Order Form / Quotation, the pricing plan, and/or the Service Interface at the time of subscription or use.

Unless otherwise stated, prices are expressed exclusive of taxes, which shall be invoiced in addition in accordance with applicable regulations.

Access to the Service is conditional upon payment of all amounts due. In the event of non- payment, MyTraffic reserves the right to limit or suspend access to the Service until payment is made.

Any changes to prices or Quotas shall not affect the conditions applicable during the term of an ongoing Order Form. For offers without an Order Form, changes shall apply prospectively and shall be communicated to the Client via the Service Interface or any other appropriate means.

Promotions and discounts. Promotions, discounts, or pricing benefits may be offered for a limited duration and subject to eligibility conditions communicated at the time of the offer (event, early adopters, end-of-period campaigns, etc.). Unless expressly stated otherwise, promotions are not cumulative and apply only for the indicated period; upon expiry, the then-current standard pricing shall apply.

Pricing plan changes. Changes to the pricing plan (including pricing, Quota allocations, and feature-to-plan mappings resulting from a Package Restructuring) apply to new subscriptions, renewals requiring a new subscription, and upgrades performed after the effective date of such changes. Ongoing subscriptions remain governed by the pricing conditions applicable at the time of subscription for the duration of the current Billing Period or commitment period. However, the functional scope of each pricing plan (i.e. which features are included in which plan) may evolve in accordance with the Package Restructuring section herein, and the Client acknowledges that no feature lock or perpetual feature entitlement shall apply beyond the current Billing Period or commitment period, unless expressly agreed in writing in the applicable Order Form.

Geo packages. MyTraffic may offer pre-packaged regional pricing bundles ("Geo Packages") corresponding to a predefined set of countries, as communicated at the time of the offer or set out in the Order Form / Quotation. Geo Packages constitute contractual pricing arrangements tied to the contracted Country Scope. Any expansion of the Country Scope beyond the contracted Geo Package shall require a new Order Form or written amendment and shall be subject to the then-current pricing applicable to the expanded scope.

7. Conditions of Use: AUP (Summary)

The Client undertakes to comply with Appendix 2 (Acceptable Use Policy – AUP). In particular, the following uses are prohibited:

• illegal activities, fraud, or discrimination;

• large-scale data extraction, scraping, or abusive automation;

• reverse engineering, circumvention of Quotas or security measures;

• attempts at prompt injection, jailbreak, or data exfiltration;

• uploading unlawful content or content infringing third-party rights;

• collection or processing of unauthorized sensitive data and uploading confidential information of third parties (including trade secrets) without authorization or in breach of a confidentiality obligation. MyTraffic may suspend or limit access to the Service in the event of abuse, security risk, or non-compliance with these GTSU and/or the AUP.
• submitting Prompts or uploading Client Documents that contain special categories of personal data within the meaning of Article 9 GDPR (including health data, political opinions, religious beliefs, sexual orientation, or biometric data), unless the Client has obtained the express consent of the data subjects concerned and has notified MyTraffic in advance in writing.

8. AI-Specific Provisions (Professional-Grade Approach)

8.1 Transparency

The Client acknowledges that GINI incorporates artificial intelligence functionalities and that Users interact, in whole or in part, with an automated system.

8.1.1 Information and Display Obligation

MyTraffic shall implement reasonable means to ensure that the Service displays, at the latest upon an Authorized User’s first interaction with GINI and in a manner that remains easily accessible during use, a notice indicating that the User is interacting with an artificial intelligence system.

The Client, in turn, undertakes to inform its Authorized Users (in particular through its internal policies and/or applicable terms of use) that they are interacting with an AI system and that Outputs are subject to the limitations described herein.

‍8.1.2 International Transfers and Sub-processors.

The Client acknowledges that the operation of the Service may involve the transfer of personal data contained in Prompts, conversation history, and Client Documents to Third-Party AI Providers located outside the European Economic Area, in particular in the United States of America. Such transfers are governed by appropriate safeguards, including Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Article 46 GDPR, and, where applicable, Transfer Impact Assessments (TIAs).

8.2 Probabilistic Nature – No Warranty

Outputs are probabilistic and may contain errors, omissions, approximations, or biases. MyTraffic does not warrant the accuracy, completeness, or fitness of Outputs for any specific purpose.

8.3 Decision Support – No Professional Advice

Outputs are provided for informational purposes only and constitute decision-support tools. They do not constitute professional advice (legal, financial, real estate, or otherwise).

8.3.1 Non-Deceptive Use and Contextualization of Outputs

The Client shall refrain from: (i) presenting Outputs as human-generated, certified, verified, or as personalized professional advice; (ii) substantially removing or obscuring warnings relating to the limitations of Outputs when communicated to third parties; and (iii) using Outputs as the sole basis for decisions likely to have significant impacts without human review in accordance with the Human Review section herein.

8.4 Human Review

The Client remains solely responsible for its use of Outputs and undertakes to implement a reasonable human review before any decision-making or implementation.

8.5 Sensitive Uses

The Client shall not use GINI to automate decisions producing significant legal effects on individuals without appropriate human supervision and without an adequate legal framework. In particular, the Client shall refrain from including, in any Prompt or Client Document, personal data of third parties that is not strictly necessary for the intended use case, and shall take all reasonable measures to anonymise or pseudonymise such data prior to submission to the Service.

8.5.1 Change of Use Case / Regulatory Requalification

The Client undertakes to notify MyTraffic without delay if it intends to use the Service in a context likely to trigger enhanced regulatory obligations (in particular under European artificial intelligence regulations) or involving high-impact decisions concerning natural persons.

In such case, MyTraffic may, at its reasonable discretion: (i) refuse the proposed use case; (ii) suspend access to the Service for the relevant scope; and/or (iii) propose additional contractual terms and compliance measures prior to any continued use.

User warning. The Client acknowledges that the Service is not intended for permanent document storage and undertakes to avoid uploading unnecessarily sensitive or confidential information, in accordance with the data minimization principle.

9. Data, Intellectual Property, and Licenses

9.1 MyTraffic Ownership

MyTraffic retains all intellectual property and/or exploitation rights in GINI, the documentation, and the MyTraffic Data. No transfer of ownership is granted.

9.2 License to Use MyTraffic Data

Subject to payment of all amounts due and compliance with these GTSU, MyTraffic grants the Client a license to access and use the MyTraffic Data that is:

• strictly limited, non-exclusive, non-assignable, non-transferable, and non-sublicensable;

• restricted to the Client’s internal use;

• limited to the scope (modules, areas, Quotas, users) defined in the Order Form;

• granted for the duration of the contract only.

Unless expressly agreed in writing by MyTraffic, the Client is prohibited from reselling, publishing, distributing, making available, granting access to, or otherwise exploiting the MyTraffic Data for the benefit of any third party (including affiliates, group companies, franchisees, partners, service providers, or advisors).

9.3 Prohibition on Reuse / Third-Party Tools / Training / Derivatives

Unless expressly agreed in writing by MyTraffic, the Client shall not:

• integrate, synchronize, or import MyTraffic Data into third-party tools or platforms (including data warehouses/lakes, BI tools, indexing engines, analytics platforms, or AI tools) where such integration enables autonomous reuse of MyTraffic Data outside the Service;

• train, retrain, fine-tune, evaluate, or improve any model or algorithm (including AI/ML, whether generative or not) using MyTraffic Data;

• create, derive, commercialize, or make available indicators, scores, databases, products, or services that are substantially derived from MyTraffic Data, including through hybridization with third-party data;

• reconstruct databases, circumvent Quotas, or perform any systematic extraction (scraping, crawling, abusive automation).

The obligations set out in the License to Use MyTraffic Data and Prohibition on Reuse sections above shall survive termination of the contract.

9.4 Client Content

The Client retains ownership of its Client Content. The Client authorizes MyTraffic to host, process, reproduce, and analyze Client Content strictly for the purposes of providing the Service, ensuring security and anti-abuse measures, complying with legal obligations, and maintaining the Service.‍

9.5 Outputs

Subject to MyTraffic’s rights and third-party rights, the Client may use the Outputs for its internal needs. The Client acknowledges that similar Outputs may be generated for other users without this constituting a breach of confidentiality.

9.6 Client Content and Uploaded Files

The Client remains solely responsible for the Client Content provided to the Service, including files, documents, and data uploaded or entered via GINI.

The Client represents and warrants that it holds all necessary rights, authorizations, and legal bases to provide such Client Content, including where it contains confidential information, trade secrets, or personal data. The Client undertakes to upload only information strictly necessary for the intended purpose (data minimization principle) and not to use the Service to process special categories of personal data within the meaning of the GDPR (including health, biometric, genetic data, political opinions, or religious beliefs), unless expressly agreed in writing by MyTraffic and subject to appropriate contractual safeguards, including a DPA and enhanced security measures.

MyTraffic processes Client Content exclusively for the purposes of providing the Service, in accordance with these GTSU, the AUP (Appendix 2), and, where applicable, the DPA.

10. Third-Party AI Providers (LLM Providers)

GINI may rely on Third-Party AI Providers to operate all or part of the Service. Client Content may be processed by such providers to the extent necessary for the provision of the Service, in accordance with the applicable confidentiality and security commitments.

An indicative list of subcontractors (LLM and/or cloud providers) is set out in Appendix 1. MyTraffic may update this list; in the event of a material change, MyTraffic shall notify the Client in accordance with the terms set out in the Order Form or, failing that, by any reasonable written means.

11. Trust & Security (Trust Center–Style Summary – MyTraffic)

11.1 Positioning

MyTraffic does not claim, under these GTSU, to hold any specific certification (such as SOC 2 or ISO  27001),  unless  expressly  stated  in  a  separate  contractual  document. 

However, MyTraffic implements technical and organizational security measures proportionate to the identified risks, as described below.

11.2 Security Measures (Examples of Controls)

By way of illustration, MyTraffic implements the following measures, depending on the applicable technical scope:

• data encryption at rest;

• access controls and authorizations based on the “need-to-know” principle (least privilege / RBAC);

• enhanced authentication mechanisms (MFA / 2FA) for sensitive access;

• access logging and periodic access rights reviews;

• data retention and deletion policies (lifecycle management), and legal hold mechanisms where applicable;

• anti-abuse measures, including rate limiting, anomaly detection, and application-level security control. 

11.3 AI Traceability (Logs)

For security, support, abuse prevention, and incident investigation purposes, MyTraffic may retain logs associated with GINI interactions, including prompts, outputs, timestamps, Client/account identifiers, IP addresses, user identifiers, model versions, and technical metrics.

Retention periods. Unless otherwise specified in the Order Form or required by law, MyTraffic applies by default a retention period of ninety (90) days from the date of collection for traceability logs relating to the Service.

For certain offers or options, as specified in the applicable Order Form, an extended retention period of up to one (1) year may be agreed.

Logs may be subject to a legal hold where required by law or by a request from a competent authority. Upon expiry of the applicable retention periods, logs are deleted or anonymized in accordance with MyTraffic’s retention policy and, where applicable, the DPA.

11.4 AI Safeguards

‍MyTraffic implements reasonable safeguards, including basic prompt- injection prevention, output filtering, controls aimed at reducing the risk of unintended personal data exposure, and usage volume limitation mechanisms.

11.5 Incident Management

MyTraffic maintains incident management procedures. In the event of a security incident affecting the Service, MyTraffic shall inform the Client within a reasonable timeframe and shall cooperate in good faith to mitigate impacts.

Where personal data are processed on behalf of the Client (processor role), notification and assistance obligations are detailed in the DPA.

12 GDPR – Personal Data

The Client represents and warrants that it holds all necessary rights, authorizations, and legal bases to upload and process Client Content via GINI.

12.1 Processor Role

Where MyTraffic acts as a processor within the meaning of the GDPR, the Parties shall enter into a Data Processing Agreement (DPA specifying the instructions, security measures, subprocessors, transfers, retention periods, and deletion mechanisms).

12.2 DPA Required for Processing on Behalf of the Client

Where the Client uses the Service to process personal data through Client Content, MyTraffic acts as a processor within the meaning of the GDPR, and the Parties agree to implement a DPA (Article 28 GDPR).

Such DPA shall describe in particular the subject matter, duration, nature, and purpose of the processing, the types of personal data and categories of data subjects, the security measures, the list of onward subprocessors, and, where applicable, transfer mechanisms.

In the absence of a required DPA, MyTraffic may suspend the processing of Client Content containing personal data until compliance is achieved.

12.3 Processing of Personal Data via Uploaded Files

Where the Client uses the Service to upload, analyze, or process files or documents containing personal data, MyTraffic acts as a processor within the meaning of the GDPR.

In such case, the Parties agree to enter into a DPA compliant with Article 28 of the GDPR, prior to or concurrently with such processing.

Failing the implementation of a required DPA, MyTraffic reserves the right to suspend the processing of the relevant Client Content until compliance is restored.

13. Support, Maintenance, Availability

‍Support. Support is available at support@mytraffic.fr, in accordance with the terms set out in the applicable Order Form. MyTraffic may temporarily interrupt the Service for scheduled or emergency maintenance.

Service Level Agreement (SLA). Any service level commitments apply only if expressly provided for in an Order Form and/or an SLA appendix. Failing such provisions, no specific availability commitment is made.

14. Liability and Limitations

MyTraffic is bound by a best-efforts obligation.

Subject to mandatory statutory provisions, MyTraffic shall not be liable for any indirect, consequential, incidental, or special damages, including loss of profit, loss of data, loss of opportunity, or business interruption.

Liability cap. MyTraffic’s total aggregate liability in connection with the Service shall not exceed the total amount actually paid by the Client for the Service during the twelve (12) months preceding the event giving rise to the claim, except in cases of gross negligence (faute lourde), willful misconduct (dol), or bodily injury.

AI-specific clause : The Client remains solely responsible for verifying Outputs and for all decisions made on the basis thereof.

15. Suspension and Termination

MyTraffic may suspend access to the Service in the event of abuse, security risk, or breach of these GTSU and/or the AUP.

Either Party may terminate the Contract in the event of a material breach by the other Party that remains uncured within a reasonable period following written notice, in accordance with the terms set out in the Order Form or, failing that, within thirty (30) days.

16. Term, End of Contract – Cessation of Use, Deletion/Return, Verification

12.1 This Agreement shall remain in force for the initial term specified in the applicable Order Form (the “Initial Term”). Upon expiration of the Initial Term, the Agreement shall be automatically renewed for successive periods of the same duration (each a “Renewal Term”), unless either Party provides written notice of termination at least two (2) months prior to the end of the then- current term. The Client shall be notified in advance of each upcoming renewal period in order to ensure full transparency regarding the continuation of the Agreement

16.2 Cessation of Use

Upon expiration or termination of the Contract, the Client shall: (i) cease all access to and use of the Service; and (ii) cease any use of the MyTraffic Data, unless otherwise provided for in the Contract (in particular, vested rights relating to expressly identified deliverables).

16.3 Deletion of MyTraffic Data

Within thirty (30) days following the end of the Contract, the Client shall delete or render unusable all copies of the MyTraffic Data in its possession or under its control, including extracts and exports insofar as they enable substantial reconstruction of the MyTraffic Data or independent use outside the Service.

This article does not require deletion of the Client’s internal documents (reports, presentations, decisions) that contain only aggregated results or Outputs that do not allow substantial reconstruction of the MyTraffic Data.

16.4 Deletion Certificate

Upon written request from MyTraffic, the Client shall provide a deletion certificate signed by a duly authorized representative within a reasonable timeframe.

16.5 Targeted Verification

In the event of a reasonable suspicion of non-compliance with the obligations set out in this article (in particular unauthorized use or retention of substantial extracts of the MyTraffic Data), MyTraffic may request a targeted verification.

Such verification shall take the form, at MyTraffic’s reasonable discretion, of:

1. a compliance questionnaire and/or
2. limited, strictly necessary, and non-intrusive supporting evidence.

An on-site audit or audit by an independent third party may be requested only as a last resort, subject to reasonable prior notice, during business hours, and in compliance with confidentiality obligations.

16.6 Costs

The cost of any verification or audit shall be borne by MyTraffic, unless such verification or audit reveals a material breach by the Client, in which case the reasonable costs thereof may be invoiced to the Client.

16.7 Personal Data (Reminder)

Where applicable, deletion or return of personal data contained in Client Content is governed exclusively by the DPA.

17. Governing Law – Jurisdiction

These TOS are governed by French law.

The competent courts shall be those of Paris, unless otherwise specified in the Order Form.

18. Confidentiality

Definition :

“Confidential Information” means any information disclosed by one Party to the other Party, in any form whatsoever, that is identified as confidential or that, by its nature, should reasonably be considered confidential, including without limitation MyTraffic Data, Client Content, specifications, technical data, pricing, roadmaps, code, and Outputs.

‍Exclusions:

Confidential Information does not include information that: (i) is or becomes public other than through a breach of this Contract; (ii) was lawfully known to the receiving Party prior to disclosure; (iii) is lawfully received from a third party without breach of a confidentiality obligation; or (iv) is independently developed by the receiving Party without use of the Confidential Information.

Obligations

The receiving Party undertakes to: (i) not disclose Confidential Information except to its employees, advisors, Affiliates, or subcontractors who have a strict need to know and are bound by confidentiality obligations at least equivalent to those set forth herein; (ii) use Confidential Information solely for the performance of the Contract; and (iii) protect Confidential Information using reasonable safeguards at least equivalent to those it applies to its own confidential information.

Required Disclosure: If the receiving Party is required by law, regulation, or court order to disclose Confidential Information, it shall, to the extent permitted by law, notify the disclosing Party in advance and reasonably cooperate to limit the scope of such disclosure.

Return or Destruction: Upon expiration or termination of the Contract, the receiving Party shall, at the disclosing Party’s option, return or destroy all Confidential Information within thirty (30) days and provide a written certification upon request. Copies required to be retained by law may be kept and shall remain subject to the confidentiality obligations set forth herein.

Term: Confidentiality obligations shall apply for the duration of the Contract and for five (5) years thereafter, except for trade secrets, which shall remain protected for as long as they retain their status as trade secrets.

Injunctive Relief: Any breach of confidentiality obligations may cause irreparable harm. Accordingly, the disclosing Party shall be entitled, in addition to damages, to seek injunctive or equitable relief without the need to post a bond.

Personal Data: Where Confidential Information includes personal data, the provisions of the DPA shall prevail in the event of any conflict.

‍19. Compliance (Sanctions, Export Controls, AML/CFT, Anti-Corruption)

Each Party undertakes to comply with all applicable laws and regulations, including without limitation those relating to economic sanctions, embargoes, export controls, anti-money laundering and counter-terrorist financing (AML/CFT), and anti-corruption laws (including, where applicable, the U.S. Foreign Corrupt Practices Act and the UK Bribery Act).

Upon reasonable request, the Client shall provide any necessary KYC/AML information and represents that neither it, nor its beneficial owners, nor any relevant Authorized User is listed on any applicable sanctions list.

APPENDIX 1 — Subprocessors (Indicative List)

AI model aggregation layer: OpenRouter (openrouter.ai) — Function: routing and aggregation of requests to model providers; sub-processor within the meaning of Article 28 GDPR. SOC 2 certification available. Zero Data Retention (ZDR) configuration implemented where applicable. DPA in progress.

Downstream AI model providers: Anthropic (USA) — direct API integration — 30-day retention on Anthropic’s side — DPA in progress. OpenAI (USA) — dual integration: direct API for RAG operations, via OpenRouter for prompts — 30-day abuse monitoring retention — DPA verification in progress. Mistral AI, Google, and any other provider included in the OpenRouter catalogue currently used by GINI — Function: inference and generation of AI responses. The up-to-date list is available at https://trust.openrouter.ai.

AI monitoring and traceability: LangSmith / LangChain (USA) — Function: tracing, debugging, and internal service improvement for GINI interactions. LangSmith receives full prompt and output content. DPA signed 27/03/2026. SCCs 2021 Module 2 included. Governing law: Ireland. Retention: 15 days on LangSmith platform; internal extract retained up to 12 months for service improvement, access restricted to authorised Engineering personnel.

Depending on technical configurations and availability, certain processing operations may be carried out within the European Union and/or outside the European Economic Area (EEA). Where transfers outside the EEA are required, they are governed by appropriate transfer mechanisms (including, where applicable, Standard Contractual Clauses and supplementary measures), in accordance with the DPA where applicable.

MyTraffic maintains an up-to-date list of subprocessors and shall inform the Client of any material changes in accordance with these GTSU and/or the DPA.

Upon the Client’s written request, MyTraffic shall provide the available information relating to the primary processing location per provider and the applicable transfer mechanisms.

APPENDIX 2 — Acceptable Use Policy (AUP)

Prohibited Uses

The following uses are strictly prohibited:

• illegal activities, fraud, impersonation, discrimination, or harassment;
• large-scale extraction, scraping, crawling, abusive automation, or circumvention of Quotas (including multiple accounts or scripts);
• uploading, entering, or processing content that infringes third-party rights (including copyright or trademarks) or discloses third-party confidential information without authorization;
• reverse engineering, attempts to access system prompts, or exfiltration of secrets or data;
• prompt injection or jailbreak attempts intended to bypass safeguards or obtain internal information;
• uploading unauthorized sensitive data;
• automation of sensitive decisions without appropriate human supervision;
• generation, dissemination, or facilitation of malware, phishing, spam, or any activity intended to compromise systems or accounts;
• uploading sensitive data or special categories of personal data within the meaning of the GDPR (e.g., health, biometric, political opinions), unless expressly authorized in writing and governed by a DPA and appropriate security measures;
• use intended to generate abnormally high volumes of LLM tokens or to artificially multiply conversations or workflows in order to circumvent Quotas.

Sanctions

In the event of a violation, MyTraffic may apply limitations, suspend access, or terminate the Contract.

Immediate measures may be taken where there is a security, compliance, or third-party rights risk.

MyTraffic may suspend access immediately in the event of a security, compliance, or third-party rights risk and shall notify the Client as soon as reasonably practicable of the general reasons for such action. Access may be restored if the violation is remedied, unless a continuing risk or legal obligation prevents reinstatement.

APPENDIX 3 — Security Incident Exhibit

1. Notification

MyTraffic shall notify the Client without undue delay after reasonable confirmation of a security incident impacting the Service.

Where the incident involves personal data processed on behalf of the Client, notification and assistance obligations shall be governed by the DPA (GDPR).

Notification shall occur once the incident is reasonably confirmed by MyTraffic and presents a significant impact on the confidentiality, integrity, or availability of the Service or the affected data.

2. Minimum Content of Notification

To the extent reasonably available at the time and permitted by legal, contractual, and security requirements, the notification shall include:

• a description of the incident (nature, date, scope);
• the types of data potentially affected;
• the likely impact;
• measures already taken;
• recommendations for the Client;
• next steps.

3. Communication Channel

Notification shall be sent by email to the security contact designated in the Order Form or, failing that, to the contractual contact.

MyTraffic contact: support@mytraffic.fr

Email subject: “Security Incident – GINI”

4. Update Frequency

MyTraffic shall provide reasonable updates proportionate to the severity of the incident (e.g., daily for critical incidents, weekly for major incidents).

A closing report may be provided upon reasonable request.

5. Cooperation

The Client shall reasonably cooperate with MyTraffic.

MyTraffic may implement protective measures as necessary, including credential resets, token revocation, or temporary suspension of access.

6. No Admission of Liability

Any notification or communication made pursuant to this Appendix shall not constitute an acknowledgment of fault, liability, or breach by MyTraffic.

APPENDIX 4 — AI Safety Exhibit

‍Authorized Use Cases

• business decision support (including area analysis, document summarization, and generation of tables and insights)

Prohibited / Restricted Use Cases

• automated sensitive decisions without appropriate human supervision;

• data exfiltration;

• any use in violation of the Acceptable Use Policy (AUP).

‍Controls

MyTraffic implements reasonable technical and organizational controls, including in particular:

• rate limiting;

• anomaly detection;

• prompt-injection and jailbreak prevention;

• output filtering;

• measures aimed at reducing risks related to personal data (PII) exposure;

• traceability and logging.

The controls and measures described above constitute reasonable technical and organizational measures intended to reduce the risks associated with use of the Service. They do not guarantee the complete absence of errors, bias, interruptions, or abusive use, nor do they guarantee any specific result.

Processes

• limited red teaming exercises;

• quality review procedures;
  

• rollback and/or kill switch mechanisms in the event of a significant risk.

Change Management

Model  and/or  dataset  versioning  is  implemented  where  reasonably  possible. Material changes are notified through release notes or equivalent communications.

Regulatory Qualification

The Service is designed and provided as a limited-risk artificial intelligence system within the meaning of applicable European regulations, subject to the Client’s compliance with the authorized use cases and the restrictions set forth herein and in the AUP.

‍Feedback

A support channel is available to report problematic Outputs or abusive use cases.

APPENDIX 5 — Trust Center Summary

This Appendix 5 constitutes an informational summary (“Trust Center Summary”) provided for transparency purposes only. In the event of any inconsistency, the GTSU, the applicable Order Form, and/or the DPA shall prevail. The measures described herein may evolve in accordance with the Contract.

Security

• encryption at rest where applicable, depending on components and offers;

• role-based access control (RBAC) and least-privilege principles;

• multi-factor authentication (MFA / 2FA) for sensitive and/or administrative access;

• access logging and periodic access reviews;

• anti-abuse measures.

Retention

• GINI logs retained for 90 days (standard);

• automatic deletion;
  

• legal hold where applicable;

• accelerated deletion available as an option and/or upon request, subject to legal obligations and legal hold requirements.

Subprocessors

• AWS (primary hosting region as contractually agreed, where applicable);

• LLM Providers and monitoring (depending on Service architecture): Anthropic (USA, direct API), OpenAI (USA, dual integration), OpenRouter (USA, routing layer), LangSmith/LangChain (USA, monitoring — DPA signed 27/03/2026).

Where transfers outside the EEA are required, appropriate transfer mechanisms apply (including Standard Contractual Clauses). Material changes to subprocessors are notified in accordance with the Contract and/or the DPA.

Incidents

• notification without undue delay;

• minimum information content;

• proportionate updates;

• cooperation with the Client.

Artificial Intelligence

• transparency regarding AI use and limitations;

• human review requirements;

• AI safeguards;

• prohibition of sensitive uses without appropriate supervision.

Privacy

• DPA available (Article 28 GDPR);
  

• data minimization;

• deletion in accordance with the DPA and/or the Contract.

Contact

Support and security reporting: support@mytraffic.fr

APPENDIX 6 — Evaluation / Trial Conditions

6.1 Purpose

Where MyTraffic grants the Client access to the Service on a trial, evaluation, demonstration, or free basis (“Trial”), the Client may use the Service within the limits set out below and as displayed in the Service Interface.

6.2 Duration

The Trial is granted for a fixed period of fourteen (14) calendar days, unless expressly stated otherwise at the time of activation (via the website and/or the Service Interface). The Trial start date and end date are displayed in the Service Interface.

Unless expressly agreed otherwise by MyTraffic, the Client may benefit from a Trial and/or a free (“freemium”) offer only once every six (6) months following the end of the previous Trial or freemium period.

6.3 Access and Activation (Self-Service)

The Trial may be activated on a self-service basis via the MyTraffic website, without mandatory prior qualification. MyTraffic reserves the right to limit, suspend, or refuse access to the Trial in the event of abuse, fraud, or non-compliance with these GTSU and/or the AUP.

6.4 Scope / Quotas / Support

The features available during the Trial, as well as applicable Quotas and technical limits, are those displayed in the Service Interface at the time of use.

The Trial is provided “as is”, without warranty, without any service level commitment (SLA), and with limited support.

6.5 Continuity from Trial to Paid Offer (Account, Data, Configuration)

If the Client subscribes to a paid offer at the end of the Trial, the Client shall retain the same Account, as well as the settings, configurations, and data created during the Trial, subject to compliance with these GTSU and payment of the amounts due.

Such continuity is guaranteed provided that subscription to a paid offer occurs no later than seven (7) calendar days following the end of the Trial.

6.6 Pre-Expiration Notifications

Prior to the expiration of the Trial, the Client may receive informational notifications (by email and/or in-app) regarding the upcoming end of the Trial and subscription options.

6.7 End of Trial / Upgrade / Payment

At the end of the Trial, if the Client has not subscribed to a paid offer, access to Trial features shall be blocked and the Client shall be invited to subscribe to a paid offer.

No payment information is required to activate the Trial. Payment details are requested only at the time of subscription to a paid offer.

6.8 Subscription to a Paid Offer

Subscription to a paid offer may be completed: on a self-service basis via the Service Interface (in particular for self-serve offers); or through MyTraffic’s sales teams, depending on the selected package and the agreed commercial terms.