GDPR POLICY / PERSONAL DATA PROTECTION POLICY

This GDPR Policy is applicable to the operator: Societatea Active Mallevo SRL, with registered office located in Romania, Bucharest, Sos. Colentina str., no. 16, registered at the Trade Registry Office under no. order J40/7278/18.04.2022, European unique identifier (EUID) ROONRC.J40/7278/2022, unique registration code (CUI) 45976175 (trade name "Mallevo").

1. Our commitment to your personal data

1.1. Mallevo will process personal data in accordance with this Personal Data Protection Policy ("GDPR Policy"), according to the legislation in force.

1.2. The GDPR policy is based on the provisions of Regulation no. 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC ("General Data Protection Regulation" or "GDPR"), which entered in force since May 25, 2018, as well as applicable national legislation.

1.3. The GDPR defines personal data as "any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more many specific elements, specific to his physical, physiological, genetic, psychological, economic, cultural or social identity".

1.4. Any information regarding the processing of your personal data can be requested in writing to the above-mentioned registered office address or to the e-mail address: office@mallevo.ro

2. Agreement

2.1. Your use of our services is subject to this GDPR Policy. When you use our services, you agree to the terms of this GDPR Policy. The purpose of the GDPR Policy is to inform our customers about how we collect, store and use personal data.

3. Categories of personal data collected

The personal data we process as a result of your use of the site may include:

• details of your visits to our website (in this regard we recommend you read the Cookies Policy);

• other information that you send us, when making a request on the website or as a result of sending them by email or phone.

• the data required to issue tax invoices, as well as any other relevant data.

4. Ways of collecting your personal data

4.1. We collect your data mainly following a visit to the website www.mallevo.ro, the launch of an online order.

4.1.1. We collect and process personal data relating to name, surname, email address, phone number in order to maintain a correspondence or communication with you. Thus, if you make a request by email or phone, we will process your data in order to resolve it.

4.1.2. In this context, if the situation presented by you for the request requires it, we will be able to transmit your contact details to financial and governmental institutions and transport companies.

4.2. We collect your data that comes as a result of a request to be contacted.

4.2.1. We collect personal data relating to name, surname, email address, telephone, interest in contracting and which

come as a result of you requesting to be contacted by filling in the fields on the site.

4.2.2. In this regard, our consultants will contact you to provide you with more information.

4.2.3. After completing the contact form, your data is imported into Mallevo's database.

4.2.4. In case you have expressly consented to your personal data being processed for marketing purposes by Mallevo, respectively for sending newsletters, information about our products and services or events, contests organized by us, Mallevo or the proxies will process your data for this purpose.

5. The purposes for which we process your personal data

We may collect and process personal data for the following purposes:

• offering our products and services;

• sending invitations for organized events;

• compliance with our legal obligations (such as obligations to keep accounting records and supporting documents);

• analyzing, improving our services and communications to you;

• protecting the security and managing websites and other systems, preventing and detecting security threats, fraud or other criminal or malicious activities;

• transmitting them to third parties, if you have expressly given your consent;

• marketing campaigns, customer surveys, market analysis, sweepstakes, contests or other promotional activities or events, where you have expressly consented;

• ensuring the physical security of the premises, according to the special legislation applicable in the field;

• the relationship with public authorities, according to the applicable legal norms in civil and criminal matters;

• for any purpose related and/or ancillary to any of the above or any other purpose for which your personal data has been provided to us.

6. Direct marketing

6.1. We promote our services to you and to others. We use customer information for the transmission of

invitations and communications promoting the products and services provided by us.

6.2. In all cases, you will have the possibility to unsubscribe from receiving marketing information by accessing the unsubscribe link that you will find within each communication of this type or by sending a written request to the address of the registered office mentioned above or to the email address: office@mallevo.ro

6.3. Please note that in the case of an unsubscribe request, there may be a period of up to 48/72 hours in which you may still receive information or marketing communications, due to considerations related to the operation of changes in the system. Unsubscribing from receiving marketing e-mails does not prevent the further transmission of transactional e-mails through which we may inform you about the status of the transaction we may conclude.

7. Sharing and Transferring Your Personal Data

7.1. We may provide access to the personal data you provide to our proxies, based on contracts entered into in this regard, but we will retain control over your personal data and use appropriate safeguards, in accordance with applicable law, to ensure the integrity and security of your personal data.

7.2. We may also disclose your personal data when you instruct us or give us permission to do so or when we are required by applicable law, requests by judicial or official bodies to do so, or in order to investigate fraudulent activities or criminal, actual or suspected.

7.3. We will not transfer personal data outside the EEA, unless one or more specified safeguards or exceptions apply to the transfer, namely an adequacy decision, the Privacy Shield, binding corporate rules.

7.4. In the absence of a suitability decision, Privacy Shield membership, mandatory corporate rules, the transfer of personal data to a third country or international organization takes place only under the following conditions:

7.4.1. the data subject has explicitly consented to the proposed transfer, after being informed of the possible risks of such transfers to the data subject due to the lack of a suitability decision and adequate safeguards;

7.4.2. the transfer is necessary for the execution of a contract between the data subject and the operator or for the execution of pre-contractual provisions adopted at the request of the data subject;

7.4.3. the transfer is necessary for the conclusion or execution of a contract concluded in the interest of the data subject between the operator and another natural or legal person;

7.4.4. the transfer is necessary for important reasons of public interest;

7.4.5. the transfer is necessary for the establishment, exercise or defense of legal claims.

8. Storing and ensuring the security of personal data

8.1. Ensuring the confidentiality of the personal data you transmit to us is an important concern for us. We have implemented technical and organizational measures to maintain the confidentiality and security of your personal data in accordance with our internal procedures regarding the storage, disclosure and access of personal data. Personal data may be kept on our personal data technology systems, those of our contractors or in hard copy for a period of 5 years or any other period according to applicable law.

9. Your Rights

9.1. We would like to inform you that, within the new regulations on the protection of personal data provided by the General Regulation on the protection of data EU 679/2016, if we process your personal data, you have

of the following rights listed below, as well as any other applicable legal rights:

• the right of access, provided by art. 15 of the GDPR, based on which you can ask us, free of charge, to confirm whether or not we are processing personal data concerning you. You can also ask us for a copy of the data we process about you. Applications must include relevant information to identify you in our database. We will resolve your request, within the legal term;

• the right to information – involves informing the data subjects in a concise, transparent and easily accessible manner about the processed data;

• the right to rectification, provided by art. 16 of the GDPR, which you can exercise, by making a request through which you can ask us to modify the information we already have about you. You can make such a request when you notice that your data is incomplete or inaccurate;

• the right to restrict processing, provided by art. 18 of the GDPR, which you can exercise when you dispute the accuracy of the data, consider the processing to be unlawful or object to the deletion of the data. Following the exercise of this right, we will still be able to store your data, performing other processing operations being possible only with your consent, except in cases expressly provided by law;

• the right to portability, provided by art. 20 of the GDPR, which you can exercise only in cases where the processing is based on your consent or the contract and only if your data is processed by automated means. If you meet the conditions, you can send us a data porting request to the operator you want;

• the right to object to data processing for marketing purposes, provided by art. 21 of the GDPR. You can exercise this right at any time, and we guarantee that your data will no longer be processed for this purpose. However, it is possible that a reasonable period of time (up to 72 hours) is required to register and process your request during which you may still receive marketing communications from us;

• the right to erasure, provided by art. 17 of the GDPR, based on which we have the obligation to delete the personal data we process about you. This right is not an absolute one, having applicability only in certain situations expressly provided by law. When making a deletion request, please be aware that deleting them can be a complex process.

9.2. In order to exercise these rights, please send us a written request to the address of the registered office mentioned above or to the e-mail address: office@mallevo.ro, with the subject "Personal information request".

Also, if you wish to withdraw your consent for direct marketing purposes, you can use the "unsubscribe" option that is included in every marketing communication.

10. GDPR Policy Update

We reserve the right to periodically update and amend this GDPR Policy to reflect any changes to how we process your personal data or any changes to legal requirements.

In case of any such change, we will display on our website www.mallevo.ro the modified version of the GDPR Policy and/or make it available in another way.

11. Contact

For additional information regarding the content of the GDPR Policy, please contact us in writing at the above-mentioned registered office address or at the e-mail address: office@mallevo.ro