PRIVACY POLICY

Last updated: June 2, 2026
Kambio protects your personal data and privacy in accordance with the strictest European and French regulations currently in force and applicable in this area. In France, personal data is protected in particular by Law No. 78-17 of 6 January 1978, Law No. 2004-801 of 6 August 2004, and Article L. 226-13 of the Criminal Code. These protections have been strengthened and supplemented by the General Data Protection Regulation (GDPR), which came into force on 25 May 2018 and provides a uniform framework for data processing across the entire territory of the European Union.
This privacy policy describes how Kambio (hereinafter “we”) collects, uses and protects the personal data of users of the Ma Petite Planète apps (hereinafter “the App”).
The data controller is:
  • Company : SASU Kambio
  • Address : 19 avenue Hoche, Paris, Ile-de-France 75008, France
  • Contact : christian@mapetiteplanete.org

If you have any questions regarding the protection of your personal data or wish to exercise your rights under the GDPR, please contact us at this address.

1. Data collected – Ma Petite Planète app

The personal data entered by the user when creating an account on the Ma Petite Planète app includes the following: first name, last name, email address, password, username, country, zip code, and age group

  • First name: displayed within the app (visible only to league players).
  • Last name: used for identification purposes (e.g., facilitating troubleshooting in case of technical issues).
  • Email address: used for authentication and for information purposes (for communications relating to the operation of the service and, where applicable, to send you information or newsletters based on your consent)
  • Alias/Username: displayed in the app and in the edition’s general ranking.
  • Age group: used for statistics and to highlight users who are minors and under 15 years of age
  • Country of residence: used for statistics and player mapping.
  • Postal code: used for statistics and player mapping.

Location data (country and postcode) is used for statistical purposes and to provide an aggregated view of participants. It does not allow a user to be pinpointed.

 

Optional data that may be provided or modified under “My Account”:

  • Profile picture (optional): displayed within the app, visible only to league players
  • Sector of activity : (optional, public version only): used to improve game content
  • Acquisition channel (optional, public version only): used for statistics and internal analysis
  • Consent to receive class notifications (optional)
  • App language (default: device language)
  • Telephone number (optional, and mandatory only for participation in certain open leagues where required by the organizing structure): used to add participants to league conversations by Ma Petite Planète or project leaders)

Mission MPP Operation – In collaboration with On est Prêt

As part of the “Mission MPP” initiative conducted in collaboration with On est Prêt during the Winter 2025 edition, users participating in this initiative (via invitation from partner content creators, On est Prêt, or Ma Petite Planète) expressly consent to the sharing of their email addresses with On est Prêt and agree to be contacted by On est Prêt in connection with future campaigns and events organized by that organization.

This sharing is based solely on the explicit consent of the users concerned and does not apply to other users of the App.

 

2. Challenge-related data

Personal data relating to the challenge is also collected: completed challenges, associated leagues

  • Completed challenges (title, date): information retrieved, useful for gameplay and generating statistics. A score is calculated based on the completed challenges. This score, assigned to participants within the app, is intended solely for gamification purposes and to track progress in the challenges offered. It is calculated transparently on the basis of actions performed and challenges completed by the user, in accordance with explicit rules accessible within the app. This score is linked solely to a nickname chosen by the participant and does not include any directly identifying data (such as surname, first name or email address) in the leaderboards visible to other users. The leaderboards displayed in the App contain no real identity data (surname, first name, email). They are based solely on pseudonyms and league information. It is not based on any personality analysis, external behavioural tracking or individual assessment in the sense of profiling. Consequently, this mechanism does not constitute profiling and is not used to make automated decisions that produce legal effects or similar significant effects on participants. The system is used solely for recreational purposes, participation and community engagement.
  • Associated league (including whether the user is an ambassador and, where applicable, the organization name)

Collected data is necessary in order to:

  • Create and manage your account
  • Respond to your inquiries and administer the Site and services
  • Inform you about services provided, including rankings and edition statistics
  • Send emails relating to the service offered (you can unsubscribe at any time via the link at the bottom of each email)
  • Detect abusive use of the Site

Anti-cheating and security

The processing activities implemented do not involve any automated decision-making producing legal effects or similarly significant effects.
Anti-cheating: An automated system for detecting suspicious behaviour (anti-cheating) may flag up anomalies. However, any decision to remove a user from the rankings is subject to human verification. and security

Users may appeal any decision by contacting christian@mapetiteplanete.org.

 

Types of data processed

When using the App, the following data may be processed:

  • Account details : email address, login details, [username, etc.].
  • Usage data : progress in challenges, contributions to objectives, [other application data].
  • Health and fitness data : step count, (nombre de pas), when you enable this feature (see section 3)

This data is strictly limited to what is necessary for the service to function.

3. Step count data (health data)

This section specifically describes how we use health and fitness data, in accordance with the requirements of Google Play and Health Connect.
In the vast majority of cases, no health data is collected or processed by the App.
As part of the ‘step counter’ challenges in the Ma Petite Planète challenge, we offer users the option — with their explicit consent — to collect the number of steps recorded by their phone. This data is classified as health data within the meaning of the applicable data protection regulations.
Data accessed: step countnombre de pas).
Source: this data is read via Health Connect (Android), and Apple Health (iOS). Access to this data is only possible after the user has given their explicit consent within the app.
Purpose: the step count is used as part of a feature optional of group challenges on the theme of the environment. Your steps automatically contribute towards a group target, so you don’t have to enter them manually. This feature is entirely optional and is not required to use the app.


Collection method: Step data can be accessed via your device’s dedicated health platform — Google Health Connect on Android, or Apple Health on iOS. The app only requests access when you choose to take part in a step-counting challenge, and only after you have given your explicit consent.
Processing and transit: lWhen you take part in a group challenge, your step count is securely transmitted to our servers so that we can calculate the group’s total.
Share : Individual step counts are never visible to other users. No user can access another user’s step count. Seuls des résultats agrégés et anonymisés au niveau de la ligue peuvent être affichés dans l’Application. Kambio does not share any health data with advertisers, advertising agencies, data brokers or marketing partners. Your health and fitness data is not , in any case, used for the following purposes:

  • advertising or marketing;
  • to determine eligibility for a job;
  • to determine eligibility for insurance;
  • unauthorised sharing on social media.


Usage: This data is used solely to display your personal progress and your league’s collective progress in the challenge. It is not used for any other purpose.


Storage: Step data is deleted if explicit consent is not renewed or upon request.


Withdrawal of consent: You can withdraw your consent at any time by revoking the app’s access to your health data in your device’s settings (Google Health Connect or Apple Health), or by contacting us at christian@mapetiteplanete.org christian@mapetiteplanete.org. Once consent has been withdrawn, the App immediately ceases all access to step data. No further data is collected after consent has been withdrawn.You can contribute to the group challenge manually.

Données sensibles : Health and fitness data is processed solely for the purpose of the step-counting feature and only with the user’s explicit consent.

Non-commercial use guarantee: The health data collected is never used for indirect commercial purposes, external behavioural analysis or monetisation.

 

Prohibited use:
Health and fitness data is not used under any circumstances for:
  • advertising;
  • marketing;
  • advertising profiling;
  • the resale of data;
  • job evaluation;
  • insurance assessment;
  • any automated decision-making process with significant implications;
  • any use outside the scope of the Application’s normal operation.

4. Management and use of personal data

Kambio protects your personal data and privacy in accordance with the strictest European and French regulations currently in force and applicable in this area. In France, personal data is protected in particular by Law No. 78-17 of 6 January 1978, Law No. 2004-801 of 6 August 2004, and Article L. 226-13 of the Criminal Code. These protections have been strengthened and supplemented by the General Data Protection Regulation (GDPR), which came into force on 25 May 2018 and provides a uniform framework for data processing across the entire territory of the European Union.

The data controller for personal data collected in connection with Kambio’s services is Kambio.
If you have any questions regarding the protection of personal data or wish to exercise your rights, please contact the DPO (Data Protection Officer): Christian Nallatamby – christian@mapetiteplanete.org.

The data collected is retained for as long as is necessary to provide the service and manage the user account.

They may then be archived or deleted in accordance with the applicable legal requirements. In the absence of prolonged activity, certain data may be deleted after a maximum period of five (5) years.

The processing of personal data carried out by Kambio is primarily based on the performance of the contract between the user and Ma Petite Planète (Article 6(1)(b) of the GDPR), which is necessary for the provision of the service (account creation and management, participation in the challenge, ranking, and internal communication).
Certain processing activities may also be based on compliance with legal obligations or, where applicable, on the user’s explicit consent when required.

5. Hosting and subcontractors

Personal data is hosted exclusively within the European Union.

Kambio uses the following subcontractors:
Supabase : database hosting and technical infrastructure (servers located in the European Union). Supabase adheres to recognised security standards, including GDPR compliance, SOC 2 Type II certification and ISO 27001-certified infrastructure.
OVHcloud : web app hosting (servers located in the European Union).
Apple App Store and Google Play Store : distribution of the mobile app (these platforms act as independent data controllers for the data they collect directly as part of their services and in accordance with their own privacy policies).

These service providers are contractually obliged to protect your data and to process it only in accordance with our instructions. Your rights Under the General Data Protection Regulation (GDPR), you have the following rights:

  • the right of access to your data;
  • the right to rectification;
  • the right to erasure (‘right to be forgotten’);
  • the right to data portability;
  • the right to object to and restrict processing;
  • the right to withdraw your consent at any time.

To exercise these rights, please contact us at: christian@mapetiteplanete.org
You also have the right to lodge a complaint with the CNIL (www.cnil.fr).

6. Data security

Kambio implements appropriate technical and organisational measures to ensure the security, confidentiality and integrity of personal data, including:

  • Secure hosting within the European Union
  • Encryption of data in transit via the HTTPS/TLS protocol
  • Encryption of data at rest
  • Passwords protected by secure hashing mechanisms
  • Regular database backups
  • Internal access management for production environments
  • Continuous vulnerability monitoring by our hosting provider (Supabase)
  • Security rules on all tables in our database (Row Level Security – RLS where applicable)
  • Testing of developments in a pre-production (staging) environment prior to deployment in production

All administrator accounts are protected by two-factor authentication (2FA). Access to data is strictly limited in accordance with the principle of least privilege and granted only to authorised personnel.

Production, testing and development environments are strictly separated in order to minimise the risk of data exposure.

In the event of a personal data breach, Kambio has an incident management procedure in place. It is alerted by its technical service provider and carries out an analysis of the situation. Where required by law, the relevant authority and the data subjects are notified within the statutory time limits.

7. Users’ rights.

Pursuant to the French Data Protection Act of 6 January 1978, as amended, participants have the right to access, modify, rectify, and delete personal data concerning them by contacting the Organizer of the game. To exercise these rights, an email may be sent to christian@mapetiteplanete.org specifying the request.

In accordance with the GDPR, you also have:

  • The right to restriction of processing in the cases provided for under Article 18 of the GDPR;
  • The right to object where processing is based on legitimate interest;
  • The right to data portability where processing is based on a contract or consent;
  • The right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertéswww.cnil.fr).

Accuracy and Updating of Data

Kambio takes reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date.

Users may modify certain information directly from their personal account. In addition, any request for rectification may be sent to the contact address indicated above.

Requests for the exercise of rights are processed within a maximum period of one (1) month, in accordance with Article 12 of the GDPR.

Communication to Processors

Where personal data has been transmitted to processors, any request for rectification, erasure, or restriction of processing is implemented with those processors where applicable.

Kambio déclenche directement les opérations nécessaires auprès de son prestataire d’hébergement et obtient confirmation de la prise en compte de la demande.

Accessibility of the Privacy Policy

This Privacy Policy is accessible:

  • From the Ma Petite Planète website, in particular via the footer;
  • Prior to account creation, via a direct link displayed on the registration screen;
  • In a version adapted for mobile devices.

It is drafted in a clear, comprehensible, and easily accessible manner, in accordance with Article 12 of the GDPR.

Users are informed of the processing of their personal data and of their rights at the time the data is collected, or at the latest when creating their account.

No personal information of users of the Ma Petite Planète Site is published without their knowledge, exchanged, transferred, assigned, or sold in any form whatsoever to third parties without their explicit consent.

The Site is not declared to the CNIL insofar as it does not process personal data beyond what is described herein.

Conformément au RGPD, aucune déclaration préalable à la CNIL n’est requise. Kambio tient un registre interne des activités de traitement conformément à l’article 30 du RGPD.

In accordance with the GDPR, no prior declaration to the CNIL is required. Ma Petite Planète maintains an internal record of processing activities pursuant to Article 30 of the GDPR.