This text is a translation of the original in Spanish. Any conflict, discrepancy or inconsistency that arises will be resolved according to the Spanish version of this text.

I. PRIVACY POLICY AND PERSONAL DATA PROTECTION

ADQUIRA ESPAÑA, S.A. (hereinafter, "Adquira") fully complies with personal data protection regulations, ensuring that the processing of personal information provided through this platform is carried out in accordance with applicable legal guarantees and obligations.

In compliance with current regulations, Adquira implements appropriate technical and organizational measures to ensure an adequate level of security and prevents the loss, misuse, alteration, unauthorized access, and theft of the data provided. Adquira guarantees its duty of confidentiality with respect to the personal data provided through the form available on this platform.

Adquira selects Data Processors for the personal data it is responsible for, offering sufficient guarantees to apply appropriate technical and organizational measures so that the processing complies with data protection regulations. The relationships between the controller and the processor are formalized in a contract or agreement that binds the processor to the controller.

The communication of certain personal data provided by data subjects, who are natural people acting on behalf of a Data Controller as representatives or as individuals acting on behalf of legal entities and in their own name (hereinafter, "the data subjects"), is necessary for Adquira to provide the services contracted through the different tools.

Adquira will use the personal data of data subjects to carry out the necessary tasks related to the registration of the Data Controller on its platform, enabling them to use Adquira's tools and features, and to address any questions that may arise during these processes.

Who is responsible for the processing of your data?

The entity responsible for processing the personal data of data subjects is ADQUIRA ESPAÑA, S.A., with a registered office at Calle Julián Camarillo No. 53, 4th floor, Postal Code 28037, Madrid, and with Tax Identification Number A-82726613. In the case of users assigned by companies registered on the platform, the data controller is that company. You can contact Adquira at the following email address: atencionclientes@adquira.com..

For what purpose and basis do we process your personal data?

1. Managing the registration of the Data Controller on the platform: Adquira will use the data of data subjects, acting as representatives of the Data Controller, to carry out the necessary steps to register them as a Supplier on the platform, as well as to manage and respond to any questions, queries, or suggestions raised by data subjects regarding the services provided by Adquira. The legal basis for this processing is the legitimate interest of the parties.

2. Managing the registration of the authorized user for platform use: Adquira will use the personal data of profile administrator users to enable access to the tools of the contracted platform. The legal basis for this processing is the legitimate interest of the parties and the fulfillment of contractual obligations.

3. Management and support in the use of Adquira's tools Adquira may use the data provided by data subjects to manage, support, and assist with the use of the tools contracted from Adquira. The legal basis for this processing is the legitimate interest of the parties and the fulfillment of contractual obligations.

4. Recording of data subjects' voices to maintain service quality: Adquira may record the personal data of data subjects, including their voice, during phone conversations with Adquira staff to verify service quality. This processing is necessary for the satisfaction of Adquira's legitimate interests.

5. Management of queries and concerns from potential clients through the contact form: Adquira may use personal data collected through the contact form solely for the purpose of responding to the queries raised in the form. The legal basis is the user's consent, which is necessary and mandatory to send the contact form.

6. Sending commercial communications by any means about product and service offers: If the data subject registers with "ADQUIRA CONECTA," the company may use the data to send commercial communications about product and service offers published on the "ADQUIRA CONECTA" tool, as well as information on specific needs buyers post on the tool’s notice board, enabling the data subject to offer their services to the relevant buyer. This processing will be based on the data subject’s consent for this specific purpose.

How long will we keep your data?

The personal data provided will be kept (i) as long as the contractual relationship with the Supplier is maintained, where appropriate, (ii) the right of deletion is not requested by the interested party, and (iii) they cannot be eliminated because they are necessary for compliance. of a legal obligation or for the formulation, exercise, and defense of claims.

If the data subject exercises their right to deletion, their personal data will be blocked during the legally established periods to address any responsibilities arising from their processing.

Will your data be communicated?

It is expressly stated that the personal information of the data subject will not be communicated to third-party recipients nor will it be subject to international transfers to third countries or international organizations.

What are your rights when you provide us with your data?

Data subjects may exercise their rights of access, rectification, and deletion of data, as well as request the limitation of processing, object to it, request data portability, and not be subject to automated individual decisions, by sending a written communication to the following email address: atencionclientes@adquira.com., or by postal mail to Calle Julián Camarillo No. 53, 4th floor, Postal Code 28037, Madrid. The communication must be accompanied by a National Identity Document (D.N.I.) or any other official document that proves the identity of the data subject.

Regardless of any other administrative or legal action, data subjects have the right to file a complaint with the Spanish Data Protection Agency, especially when they have not obtained satisfaction in exercising their rights.

II. CONDITIONS OF ADQUIRA AS DATA PROCESSOR

These conditions are part of the Contract signed between the parties. They do not constitute a modification of the Contract, except for what is specifically established herein. All the stipulations of the Contract remain in force unless this document includes terms that differ from those in the Contract.

In certain situations, Adquira may process personal data on behalf of its clients (who assume the role of data controllers), making Adquira the data processor of such data, with the sole purpose of providing services related to auctions, invoicing, approval, and/or negotiation. The data controllers must register on the platform.

In this regard, Adquira guarantees that it will process the data strictly following the documented instructions of its clients, respecting confidentiality, and applying the appropriate security measures for the personal data processed on behalf of its clients.

As a result of the Contract, ADQUIRA may access personal data that is under the responsibility, custody, and protection of the Data Controller (hereinafter referred to as the "Data Controller"); with ADQUIRA acting as the Data Processor for these data (hereinafter referred to as the "Data Processor" or "ADQUIRA"). These conditions address the processing of data by the Data Processor.

First: Types of Personal Data

The Data Processor may access, for contract management purposes, personal data related to the following categories of individuals: Clients, Employees, and Suppliers. The types of data ADQUIRA may access can include identification data, academic and professional data, and, where applicable, employment-related data.

If the Data Controller provides other categories of data or special categories of personal data through ADQUIRA’s platform, they must expressly inform ADQUIRA to ensure the adoption of the appropriate technical and organizational security measures.

The nature of the processing that the Data Processor may perform on behalf of the Data Controller will involve storing the Data Controller's information on the platform. The purpose of the processing will be derived from the contracted service.

Second: Instructions of the Data Controller

Data obtained or accessed under the Contract cannot be used for any purpose other than its execution. Such data will be confidential and will not be disclosed or made available to third parties without prior written authorization from the Data Controller, except in cases expressly permitted by law.

Third: Audits and Supervisory Authority Inspections

If a supervisory authority requires an inspection of the data processing facilities used by Adquira to process the Data Controller’s personal data, Adquira will reasonably cooperate with such an audit. Adquira will provide the Data Controller with all necessary information to demonstrate compliance with the obligations established in this contract and facilitate audits, including inspections, carried out by the Data Controller or another auditor appointed by the Data Controller. Audit reports can only be used to meet regulatory requirements or confirm compliance with Contract requirements. Audit reports are confidential under the terms of the contract.

Fourth: Record of Processing Activities

ADQUIRA will maintain a written and electronic inventory of all categories of processing activities carried out on behalf of the Data Controller, including at least the following information:

- The name and contact details of the Data Controller’s data protection officer and, if applicable, the Data Protection Officer (DPO).

- The category of processing.

- In the case of international transfers, the identification of the third country and documentation of appropriate safeguards.

- A description of the technical, organizational, physical, and administrative security measures

Fifth: Duty of Confidentiality

The data, documents, and information held by the Data Controller that may come to ADQUIRA’s attention under the Contract will remain confidential. This obligation remains in place until the data is destroyed. ADQUIRA will take the necessary measures to inform its employees of ADQUIRA’s responsibilities as the Data Processor and the need to comply with them.

Sixth: Subcontracting Rules

If ADQUIRA engages subcontractors (sub-processors) to carry out specific data processing activities on behalf of the Data Controller, ADQUIRA must obtain prior authorization. To this end, ADQUIRA will notify the Data Controller in writing of any planned subcontracting arrangements, providing information about the third parties it intends to subcontract. If the Data Controller does not express written opposition within 48 hours of receiving the notification, it will be deemed that there is no objection. These same terms apply if ADQUIRA intends to replace any subcontractor(s).

ADQUIRA will impose the same data protection obligations in writing on the subcontractor as those established in this Annex. These obligations will also apply to ADQUIRA if the subcontractor engages third parties. ADQUIRA and any successive subcontractors in the chain will be bound by the same obligations. ADQUIRA will be fully responsible to the Data Controller for ensuring that any subcontractor complies with data protection obligations.

Seventh: Security Measures

ADQUIRA will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, considering the state of the art, the costs of implementation, the nature of the stored data, the scope, context, and purposes of the processing, as well as the potential impact on the rights and freedoms of individuals.

In any case, ADQUIRA must implement mechanisms to: (i) ensure the ongoing confidentiality, integrity, availability, and resilience of the processing systems and services; (ii) restore the availability and access to personal data quickly in the event of a physical or technical incident; (iii) regularly assess and evaluate the effectiveness of the implemented technical and organizational measures to ensure processing security. Additionally, ADQUIRA is required to fulfill any obligations regarding data protection impact assessments if required.

Eighth: Notification of Security Incidents

The Data Processor commits to notify the Data Controller, without undue delay, of any personal data security incident, considering the nature of the processed data, the associated risks of loss, destruction, or alteration of personal data, and the information available to ADQUIRA so that the Data Controller can make appropriate decisions regarding the security incident. These decisions will be communicated to ADQUIRA.

Ninth: Rights of Data Subjects

ADQUIRA will assist the Data Controller, through appropriate technical and organizational measures, with requests to exercise the rights of data subjects. In particular, these rights include access, rectification, erasure ("right to be forgotten"), objection to processing, data portability, restriction of processing, and the right not to be subject to automated decision-making, including profiling. If individuals exercise their rights with ADQUIRA, ADQUIRA will inform the Data Controller without undue delay.

Tenth: Return or Destruction of Data

Upon termination of the contract, ADQUIRA will return and/or destroy all personal data to which it has had access for the purposes of fulfilling the Contract, at the Data Controller's choice.