MYPOS TECHNOLOGIES AD Contractor Privacy Notice

Effective as of November 17, 2022

Last update: November

I. MYPOS TECHNOLOGIES AD’ commitment to Privacy

MYPOS TECHNOLOGIES AD is committed to proceeding the personal information of its candidates and provide them with the appropriate safeguards, rights and freedoms, as defined in the applicable legislation, including but not limited to the GDPR and The Personal Data Protection Act 2002.

MYPOS TECHNOLOGIES AD is continuously improving its data processing practices, policies and procedures. Our Privacy Notice aims to provide you with as much transparency over the way we handle your data as possible.

The present Privacy Notice describes how we collect, use, process, and disclose your information, including personal information, as well as your rights as a data subject, in relation to your contract with MYPOS TECHNOLOGIES AD.

1.1. About us.

When this Notice mentions “MYPOS TECHNOLOGIES AD”, “we,” “us,” or “our,” it refers to Company, registered under Company Number 205050564, having seat and registered address in Varna, 9023, Mladost District, Business Park Varna B1. This company is responsible for your information under the present Privacy Notice.

1.2. Who is this Privacy Notice for?

The present document outlines the data processing activities which MYPOS TECHNOLOGIES AD carries out with respect to its candidates. The present Privacy Notice is not intended for employees or civil candidates, for which MYPOS TECHNOLOGIES AD has separate privacy notices. If you are unsure how or if this Privacy Notice applies to you, please contact your Human Resources representative at hr@mypos.com TECHNOLOGIES AD.com.

II. What data do we collect and process about you?

We collect and maintain different types of personal information about you in accordance with applicable law. Please be aware that any data that is collected under grounds such as legal obligations; or contractual requirement; or a requirement necessary to enter into a contract, is necessary to be processed by us in order to achieve these purposes and we would not be able to maintain adequate legal relationships with you in case you do not provide us with said data. Here is a breakdown of the types of data that we collect directly from you, the legal grounds for the processing and the general types of third-parties that we may share these types of data with.

III. Specific data processing.

In any case, we may share any of your information for specific reasons, outlined below:

1. Sharing data other members of the MYPOS TECHNOLOGIES AD corporate family: We may share your Personal Data with members of the MYPOS TECHNOLOGIES AD corporate family or within our extended family of companies that are related by common ownership or control, so that we may provide the Services you have requested or authorized or to manage the risk, or to help detect and prevent potentially illegal and fraudulent acts and other violations of our policies and agreements.

2. Aggregated Data. We may also share aggregated information (information about our users that we combine together so that it no longer identifies or references an individual user) and other anonymized information for regulatory compliance, industry and market analysis, demographic profiling and other business purposes.

3. With our legal counsels for the purposes of protecting our legal rights. We may share any information which is necessary to protect our legal rights to legal counsels or similar parties.

4. Business Transfers. If any of the MYPOS TECHNOLOGIES AD holding companies or MYPOS TECHNOLOGIES AD itself is involved in any merger, acquisition, reorganization, sale of assets, bankruptcy, or insolvency event, then we may sell, transfer or share some or all of our assets, including your information in connection with such transaction or in contemplation of such transaction (e.g., due diligence). In this event, we will notify you before your personal information is transferred to a different legal person and/or becomes subject to a different Privacy Notice.

IV. Data Retention and Erasure.

We generally retain your personal information for as long as is necessary for the performance of the contract between you and us and to comply with our regulatory obligations. Generally, we continue to keep your information in an identifiable way for a period of 6 (six) months after you have applied for any of our job applications or have otherwise, unless any specific laws oblige us to keep your personal information for a longer period. Please note that if you request the erasure of your personal information:

• We may retain some of your personal information as necessary for our legitimate interests or in case the information would be required in cases where we need to investigate and respond to claims against us.
• We may retain and use your personal information to the extent necessary to comply with our legal obligations. For example, MYPOS TECHNOLOGIES AD may keep some of your information for social security, employee protection and safety, tax, legal reporting and auditing obligations.
• Because we maintain our records in a manner protecting from accidental or malicious loss and destruction, residual copies of your personal information may not be removed from our backup systems for a limited period of time, until these backups are destroyed.

V. Your rights.

You may exercise any of the rights described in this section before MYPOS TECHNOLOGIES AD by sending a written request to dpo@mypos.com. Please note that upon receipt of your e-mail we shall try our best to provide you with the requested information and resolve your request in reasonable time, subject to all obligations which we or the related companies have under the applicable laws.

5.1. Managing Your Information.

You have the right to obtain the following:

• confirmation of whether and where we are processing your personal data;
• information about the purposes of the processing;
• information about the categories of data being processed;
• information about the categories of recipients with whom the data may be shared;
• information about the period for which the data will be stored (or the criteria used to determine that period);
• information about the existence of the rights to erasure, to rectification, to restriction of processing and to object to processing;
• information about the existence of the right to complain to any Regulator;
• where the data was not collected from you, information as to the source of the data; and
• information about the existence of, and an explanation of the logic involved in, any automated processing.
• Additionally, you may request a copy of the personal data being processed.

5.2. Rectification of Inaccurate or Incomplete Information.

You have the right to ask us to correct inaccurate or incomplete personal information concerning you.

5.3. Data Access and Portability.

You have the right to:

• receive a copy of your personal data in a structured, commonly used, machine-readable format that supports re-use;
• transfer your personal data from one controller to another;
• store your personal data for further personal use on a private device; and
• have your personal data transmitted directly between controllers without hindrance.

In some jurisdictions, applicable law may entitle you to request copies of your personal information held by us.

5.4. Withdrawing Consent and Restriction of Processing.

Where you have provided your consent to the processing of your personal information by us you may withdraw your consent at any time by sending a communication to us specifying which consent you are withdrawing. Please note that the withdrawal of your consent does not affect the lawfulness of any processing activities based on such consent before its withdrawal.

5.5. Objection to Processing.

In some jurisdictions, applicable law may entitle you to require us not to process your personal information for certain specific purposes in case you object, where such processing is based on legitimate interest. If you object to such processing we will no longer process your personal information for these purposes unless we can demonstrate compelling legitimate grounds for such processing or such processing is required for the establishment, exercise or defence of legal claims.

5.6. How do I complain?

You should in first place try to resolve the matter by sending an e-mail to dpo@mypos.com under this Privacy Notice. In case you wish to bring your complaint further, you may escalate it to the following authority:

Commission for personal data protection
Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592
Email: kzld@cpdp.bg

VI. Operating globally.

To facilitate our global operations we may be required to transfer, store, and process your information within our family of companies or with service providers based in Europe, India, Asia Pacific and North and South America. Because personal data protection laws may differ in these countries, where we transfer store and process your personal information outside of the UK or EEA we have ensured that appropriate safeguards are in place to ensure an adequate level of data protection.

VII. International transfers.

7.1. Adequacy Decisions.

Where we disclose any of your collected personal information outside EEA, we shall comply with any relevant adequacy decision, where possible.

7.2. Other Means to Ensure an Adequate Level of Data Protection.

In case personal information is shared with corporate affiliates or third-party service providers outside the EEA in absence of an adequacy decision, we have - prior to sharing your information with such corporate affiliate or third-party service provider – established the necessary means to ensure an adequate level of data protection and a valid legal ground under the applicable data transfer rules. We will provide further information on the means to ensure an adequate level of data protection on request. This includes transfers from the EEA to the US.

Protection of personal data transferred from or to the United Kingdom of Great Britain and Northern Ireland:

MYPOS TECHNOLOGIES AD is a part of a global group of companies, with operations in the USA, UK and across EEA. Where we transfer any of your collected personal data from or to UK we shall comply with the Decision on the adequate protection of personal data by the United Kingdom - General Data Protection Regulation, dated 28 June 2021.

VIII.Security.

We take the responsibility to ensure that your personal information is secure. To prevent unauthorized access or disclosure of information we maintain physical, electronic and procedural safeguards that comply with applicable regulations to guard non-public personal information.

If you know or have reason to believe that any of your information has been lost, stolen, misappropriated, or otherwise compromised, please contact us following the instructions in the Contact section below.

IX. Changes to this Privacy Notice.

We reserve the right to modify this Privacy Notice at any time in accordance with this provision. If we make changes to this Privacy Notice, we will send you the revised Privacy Notice via email.

X. Contact.

If you have any questions or complaints about this Privacy Notice or our information handling practices, you send us an email at dpo@mypos.com.

MYPOS PAYMENTS LTD Candidate Privacy Notice

Effective as of: November 2022

Last update: November 2022

I. MYPOS PAYMENTS LTD’ commitment to Privacy

MYPOS PAYMENTS LTD is committed to proceeding the personal information of its contractors and provide them with the appropriate safeguards, rights and freedoms, as defined in the applicable legislation, including but not limited to the GDPR and the Data Protection Act 2018.

MYPOS PAYMENTS LTD is continuously improving its data processing practices, policies and procedures. Our Privacy Notice aims to provide you with as much transparency over the way we handle your data as possible.

The present Privacy Notice describes how we collect, use, process, and disclose your information, including personal information, as well as your rights as a data subject, in relation to your contract with MYPOS PAYMENTS LTD.

1.1. About us

When this Notice mentions “MYPOS PAYMENTS LTD”, “we,” “us,” or “our,” it refers to Employer, registered in the Company house of England and Wales Company Register, under Company Number 10630670, having seat and registered address at Level 24, The Shard, 32 London Bridge Street, London, England, SE1 9SG. This company is responsible for your information under the present Privacy Notice.

1.2. Who is this Privacy Notice for?

The present document outlines the data processing activities which MYPOS PAYMENTS LTD carries out with respect to its contractors. The present Privacy Notice is not intended for employees or job candidates, for which MYPOS PAYMENTS LTD has separate privacy notices. If you are unsure how or if this Privacy Notice applies to you, please contact your Human Resources representative at hr@mypos.com.

II. What data do we collect and process about you?

We collect and maintain different types of personal information about you in accordance with applicable law. Please be aware that any data that is collected under grounds such as legal obligations; or contractual requirement; or a requirement necessary to enter into a contract, is necessary to be processed by us in order to achieve these purposes and we would not be able to maintain adequate legal relationships with you in case you do not provide us with said data. Here is a breakdown of the types of data that we collect directly from you, the legal grounds for the processing and the general types of third-parties that we may share these types of data with.

III. Specific data processing.

In any case, we may share any of your information for specific reasons, outlined below:

1. Sharing data other members of the MYPOS PAYMENTS LTD corporate family: We may share your Personal Data with members of the corporate family of MYPOS PAYMENTS LTD or within our extended family of companies that are related by common ownership or control, so that we may provide the Services you have requested or authorized or to manage the risk, or to help detect and prevent potentially illegal and fraudulent acts and other violations of our policies and agreements.

2. Aggregated Data. We may also share aggregated information (information about our users that we combine together so that it no longer identifies or references an individual user) and other anonymized information for regulatory compliance, industry and market analysis, demographic profiling and other business purposes.

3. With our legal counsels for the purposes of protecting our legal rights. We may share any information which is necessary to protect our legal rights to legal counsels or similar parties.

4. Business Transfers. If any of the MYPOS PAYMENTS LTD holding companies or MYPOS PAYMENTS LTD itself is involved in any merger, acquisition, reorganization, sale of assets, bankruptcy, or insolvency event, then we may sell, transfer or share some or all of our assets, including your information in connection with such transaction or in contemplation of such transaction (e.g., due diligence). In this event, we will notify you before your personal information is transferred to a different legal person and/or becomes subject to a different Privacy Notice.

IV. Data Retention and Erasure.

We generally retain your personal information for as long as is necessary for the performance of the contract between you and us and to comply with our regulatory obligations. Generally, we continue to keep your information in an identifiable way for a period of 3 (three) years after the termination of your contract, unless any specific laws oblige us to keep your personal information for a longer period. Please note that if you request the erasure of your personal information:

• We may retain some of your personal information as necessary for our legitimate interests or in case the information would be required in cases where we need to investigate and respond to claims against us.
• We may retain and use your personal information to the extent necessary to comply with our legal obligations. For example, MYPOS PAYMENTS LTD may keep some of your information for social security, employee protection and safety, tax, legal reporting and auditing obligations.
• Because we maintain our records in a manner protecting from accidental or malicious loss and destruction, residual copies of your personal information may not be removed from our backup systems for a limited period of time, until these backups are destroyed.

V. Your rights.

You may exercise any of the rights described in this section before MYPOS PAYMENTS LTD by sending a written request to dpo@mypos.com. Please note that upon receipt of your e-mail we shall try our best to provide you with the requested information and resolve your request in reasonable time, subject to all obligations which we or the related companies have under the applicable laws.

5.1. Managing Your Information.

You have the right to obtain the following:

• confirmation of whether and where we are processing your personal data;
• information about the purposes of the processing;
• information about the categories of data being processed;
• information about the categories of recipients with whom the data may be shared;
• information about the period for which the data will be stored (or the criteria used to determine that period);
• information about the existence of the rights to erasure, to rectification, to restriction of processing and to object to processing;
• information about the existence of the right to complain to any Regulator;
• where the data was not collected from you, information as to the source of the data; and
• information about the existence of, and an explanation of the logic involved in, any automated processing.
• Additionally, you may request a copy of the personal data being processed.

5.2. Rectification of Inaccurate or Incomplete Information.

You have the right to ask us to correct inaccurate or incomplete personal information concerning you

5.3. Data Access and Portability.

You have the right to:

• receive a copy of your personal data in a structured, commonly used, machine-readable format that supports re-use;
• transfer your personal data from one controller to another;
• store your personal data for further personal use on a private device; and
• have your personal data transmitted directly between controllers without hindrance.

In some jurisdictions, applicable law may entitle you to request copies of your personal information held by us.

5.4. Withdrawing Consent and Restriction of Processing.

Where you have provided your consent to the processing of your personal information by us you may withdraw your consent at any time by sending a communication to us specifying which consent you are withdrawing. Please note that the withdrawal of your consent does not affect the lawfulness of any processing activities based on such consent before its withdrawal.

5.5. Objection to Processing.

In some jurisdictions, applicable law may entitle you to require us not to process your personal information for certain specific purposes in case you object, where such processing is based on legitimate interest. If you object to such processing we will no longer process your personal information for these purposes unless we can demonstrate compelling legitimate grounds for such processing or such processing is required for the establishment, exercise or defence of legal claims.

5.6. How do I complain?

You should in first place try to resolve the matter by sending an e-mail to dpo@mypos.com under this Privacy Notice. In case you wish to bring your complaint further, you may escalate it to the following authority:

Information Commissioner’s Office:

Address:
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Telephone: 0303 123 1113

To facilitate our global operations, we may be required to transfer, store, and process your information within our family of companies or with service providers based in Europe and North and South America. Because personal data protection laws may differ in these countries, where we transfer store and process your personal information outside of the UK or EEA we have ensured that appropriate safeguards are in place to ensure an adequate level of data protection.

VI. International transfers.

6.1. Adequacy Decisions.

Where we disclose any of your collected personal information outside EEA, we shall comply with any relevant adequacy decision, where possible.

6.2. Other Means to Ensure an Adequate Level of Data Protection.

In case personal information is shared with corporate affiliates or third-party service providers outside the EEA in absence of an adequacy decision, we have - prior to sharing your information with such corporate affiliate or third-party service provider – established the necessary means to ensure an adequate level of data protection and a valid legal ground under the applicable data transfer rules. We will provide further information on the means to ensure an adequate level of data protection on request. This includes transfers from the EEA to the US.

Protection of personal data transferred from or to the United Kingdom of Great Britain and Northern Ireland:

MYPOS PAYMENTS LTD is a part of a global group of companies, with operations in the USA, UK and across EEA. Where we transfer any of your collected personal data from or to UK we shall comply with the Decision on the adequate protection of personal data by the United Kingdom - General Data Protection Regulation, dated 28 June 2021.

VII. Security.

We take the responsibility to ensure that your personal information is secure. To prevent unauthorized access or disclosure of information we maintain physical, electronic and procedural safeguards that comply with applicable regulations to guard non-public personal information.

If you know or have reason to believe that any of your information has been lost, stolen, misappropriated, or otherwise compromised, please contact us following the instructions in the Contact section below.

VIII.Changes to this Privacy Notice.

We reserve the right to modify this Privacy Notice at any time in accordance with this provision. If we make changes to this Privacy Notice, we will send you the revised Privacy Notice via email.

IX. Contact.

If you have any questions or complaints about this Privacy Notice or our information handling practices, you send us an email at dpo@mypos.com.

MYPOS SERVICES OOD Contractor Privacy Notice

Effective as of November 17, 2022

Last update: November

I. MYPOS SERVICES OOD’ commitment to Privacy

MYPOS SERVICES OOD is committed to proceeding the personal information of its candidates and provide them with the appropriate safeguards, rights and freedoms, as defined in the applicable legislation, including but not limited to the GDPR and The Personal Data Protection Act 2002.

MYPOS SERVICES OOD is continuously improving its data processing practices, policies and procedures. Our Privacy Notice aims to provide you with as much transparency over the way we handle your data as possible.

The present Privacy Notice describes how we collect, use, process, and disclose your information, including personal information, as well as your rights as a data subject, in relation to your contract with MYPOS SERVICES OOD.

1.1. About us.

When this Notice mentions “MYPOS SERVICES OOD”, “we,” “us,” or “our,” it refers to Company, registered under Company Number 205050564, having seat and registered address in Varna, 9023, Mladost District, Business Park Varna B1. This company is responsible for your information under the present Privacy Notice.

1.2. Who is this Privacy Notice for?

The present document outlines the data processing activities which MYPOS SERVICES OOD carries out with respect to its candidates. The present Privacy Notice is not intended for employees or civil candidates, for which MYPOS SERVICES OOD has separate privacy notices. If you are unsure how or if this Privacy Notice applies to you, please contact your Human Resources representative at hr@mypos.com.

II. What data do we collect and process about you?

We collect and maintain different types of personal information about you in accordance with applicable law. Please be aware that any data that is collected under grounds such as legal obligations; or contractual requirement; or a requirement necessary to enter into a contract, is necessary to be processed by us in order to achieve these purposes and we would not be able to maintain adequate legal relationships with you in case you do not provide us with said data. Here is a breakdown of the types of data that we collect directly from you, the legal grounds for the processing and the general types of third-parties that we may share these types of data with.

III. Specific data processing.

In any case, we may share any of your information for specific reasons, outlined below:

1. Sharing data other members of the MYPOS SERVICES OOD corporate family: We may share your Personal Data with members of the MYPOS SERVICES OOD corporate family or within our extended family of companies that are related by common ownership or control, so that we may provide the Services you have requested or authorized or to manage the risk, or to help detect and prevent potentially illegal and fraudulent acts and other violations of our policies and agreements.

2. Aggregated Data. We may also share aggregated information (information about our users that we combine together so that it no longer identifies or references an individual user) and other anonymized information for regulatory compliance, industry and market analysis, demographic profiling and other business purposes.

3. With our legal counsels for the purposes of protecting our legal rights. We may share any information which is necessary to protect our legal rights to legal counsels or similar parties.

4. Business Transfers. If any of the MYPOS SERVICES OOD holding companies or MYPOS SERVICES OOD itself is involved in any merger, acquisition, reorganization, sale of assets, bankruptcy, or insolvency event, then we may sell, transfer or share some or all of our assets, including your information in connection with such transaction or in contemplation of such transaction (e.g., due diligence). In this event, we will notify you before your personal information is transferred to a different legal person and/or becomes subject to a different Privacy Notice.

IV. Data Retention and Erasure.

We generally retain your personal information for as long as is necessary for the performance of the contract between you and us and to comply with our regulatory obligations. Generally, we continue to keep your information in an identifiable way for a period of 6 (six) months after you have applied for any of our job applications or have otherwise, unless any specific laws oblige us to keep your personal information for a longer period. Please note that if you request the erasure of your personal information:

• We may retain some of your personal information as necessary for our legitimate interests or in case the information would be required in cases where we need to investigate and respond to claims against us.
• We may retain and use your personal information to the extent necessary to comply with our legal obligations. For example, MYPOS SERVICES OODmay keep some of your information for social security, employee protection and safety, tax, legal reporting and auditing obligations.
• Because we maintain our records in a manner protecting from accidental or malicious loss and destruction, residual copies of your personal information may not be removed from our backup systems for a limited period of time, until these backups are destroyed.

V. Your rights.

You may exercise any of the rights described in this section before MYPOS SERVICES OOD by sending a written request to dpo@mypos.com. Please note that upon receipt of your e-mail we shall try our best to provide you with the requested information and resolve your request in reasonable time, subject to all obligations which we or the related companies have under the applicable laws.

5.1. Managing Your Information.

You have the right to obtain the following:

• confirmation of whether and where we are processing your personal data;
• information about the purposes of the processing;
• information about the categories of data being processed;
• information about the categories of recipients with whom the data may be shared;
• information about the period for which the data will be stored (or the criteria used to determine that period);
• information about the existence of the rights to erasure, to rectification, to restriction of processing and to object to processing;
• information about the existence of the right to complain to any Regulator;
• where the data was not collected from you, information as to the source of the data; and
• information about the existence of, and an explanation of the logic involved in, any automated processing.
• Additionally, you may request a copy of the personal data being processed.

5.2. Rectification of Inaccurate or Incomplete Information.

You have the right to ask us to correct inaccurate or incomplete personal information concerning you.

5.3. Data Access and Portability.

You have the right to:

• receive a copy of your personal data in a structured, commonly used, machine-readable format that supports re-use;
• transfer your personal data from one controller to another;
• store your personal data for further personal use on a private device; and
• have your personal data transmitted directly between controllers without hindrance.

In some jurisdictions, applicable law may entitle you to request copies of your personal information held by us.

5.4. Withdrawing Consent and Restriction of Processing.

Where you have provided your consent to the processing of your personal information by us you may withdraw your consent at any time by sending a communication to us specifying which consent you are withdrawing. Please note that the withdrawal of your consent does not affect the lawfulness of any processing activities based on such consent before its withdrawal.

5.5. Objection to Processing.

In some jurisdictions, applicable law may entitle you to require us not to process your personal information for certain specific purposes in case you object, where such processing is based on legitimate interest. If you object to such processing we will no longer process your personal information for these purposes unless we can demonstrate compelling legitimate grounds for such processing or such processing is required for the establishment, exercise or defence of legal claims.

5.6. How do I complain?

You should in first place try to resolve the matter by sending an e-mail to dpo@mypos.com under this Privacy Notice. In case you wish to bring your complaint further, you may escalate it to the following authority:

Commission for personal data protection
Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592
Email: kzld@cpdp.bg

VI. Operating globally.

To facilitate our global operations we may be required to transfer, store, and process your information within our family of companies or with service providers based in Europe, India, Asia Pacific and North and South America. Because personal data protection laws may differ in these countries, where we transfer store and process your personal information outside of the UK or EEA we have ensured that appropriate safeguards are in place to ensure an adequate level of data protection.

VII. International transfers.

7.1. Adequacy Decisions.

Where we disclose any of your collected personal information outside EEA, we shall comply with any relevant adequacy decision, where possible.

7.2. Other Means to Ensure an Adequate Level of Data Protection.

In case personal information is shared with corporate affiliates or third-party service providers outside the EEA in absence of an adequacy decision, we have - prior to sharing your information with such corporate affiliate or third-party service provider – established the necessary means to ensure an adequate level of data protection and a valid legal ground under the applicable data transfer rules. We will provide further information on the means to ensure an adequate level of data protection on request. This includes transfers from the EEA to the US.

Protection of personal data transferred from or to the United Kingdom of Great Britain and Northern Ireland:

MYPOS SERVICES OOD is a part of a global group of companies, with operations in the USA, UK and across EEA. Where we transfer any of your collected personal data from or to UK we shall comply with the Decision on the adequate protection of personal data by the United Kingdom - General Data Protection Regulation, dated 28 June 2021.

VIII.Security.

We take the responsibility to ensure that your personal information is secure. To prevent unauthorized access or disclosure of information we maintain physical, electronic and procedural safeguards that comply with applicable regulations to guard non-public personal information.

If you know or have reason to believe that any of your information has been lost, stolen, misappropriated, or otherwise compromised, please contact us following the instructions in the Contact section below.

IX. Changes to this Privacy Notice.

We reserve the right to modify this Privacy Notice at any time in accordance with this provision. If we make changes to this Privacy Notice, we will send you the revised Privacy Notice via email.

X. Contact.

If you have any questions or complaints about this Privacy Notice or our information handling practices, you send us an email at dpo@mypos.com.

MYPOS.BG LTD Contractor Privacy Notice

Effective as of November 17, 2022

Last update: November

I. MYPOS.BG LTD’ commitment to Privacy

MYPOS.BG LTD is committed to proceeding the personal information of its candidates and provide them with the appropriate safeguards, rights and freedoms, as defined in the applicable legislation, including but not limited to the GDPR and The Personal Data Protection Act 2002.

MYPOS.BG LTD is continuously improving its data processing practices, policies and procedures. Our Privacy Notice aims to provide you with as much transparency over the way we handle your data as possible.

The present Privacy Notice describes how we collect, use, process, and disclose your information, including personal information, as well as your rights as a data subject, in relation to your contract with MYPOS.BG LTD.

1.1. About us.

When this Notice mentions “MYPOS.BG LTD”, “we,” “us,” or “our,” it refers to Company, registered under Company Number 203964123, having seat and registered address in Sofia, 76A James Boucher Blvd. This company is responsible for your information under the present Privacy Notice.

1.2. Who is this Privacy Notice for?

The present document outlines the data processing activities which MYPOS.BG LTD carries out with respect to its candidates. The present Privacy Notice is not intended for employees or civil candidates, for which MYPOS.BG LTD has separate privacy notices. If you are unsure how or if this Privacy Notice applies to you, please contact your Human Resources representative at hr@mypos.com.

II. What data do we collect and process about you?

We collect and maintain different types of personal information about you in accordance with applicable law. Please be aware that any data that is collected under grounds such as legal obligations; or contractual requirement; or a requirement necessary to enter into a contract, is necessary to be processed by us in order to achieve these purposes and we would not be able to maintain adequate legal relationships with you in case you do not provide us with said data. Here is a breakdown of the types of data that we collect directly from you, the legal grounds for the processing and the general types of third-parties that we may share these types of data with.

III. Specific data processing.

In any case, we may share any of your information for specific reasons, outlined below:

1. Sharing data other members of the MYPOS.BG LTD corporate family: We may share your Personal Data with members of the MYPOS.BG LTD corporate family or within our extended family of companies that are related by common ownership or control, so that we may provide the Services you have requested or authorized or to manage the risk, or to help detect and prevent potentially illegal and fraudulent acts and other violations of our policies and agreements.

2. Aggregated Data. We may also share aggregated information (information about our users that we combine together so that it no longer identifies or references an individual user) and other anonymized information for regulatory compliance, industry and market analysis, demographic profiling and other business purposes.

3. With our legal counsels for the purposes of protecting our legal rights. We may share any information which is necessary to protect our legal rights to legal counsels or similar parties.

4. Business Transfers. If any of the MYPOS.BG LTD holding companies or MYPOS.BG LTD itself is involved in any merger, acquisition, reorganization, sale of assets, bankruptcy, or insolvency event, then we may sell, transfer or share some or all of our assets, including your information in connection with such transaction or in contemplation of such transaction (e.g., due diligence). In this event, we will notify you before your personal information is transferred to a different legal person and/or becomes subject to a different Privacy Notice.

IV. Data Retention and Erasure.

We generally retain your personal information for as long as is necessary for the performance of the contract between you and us and to comply with our regulatory obligations. Generally, we continue to keep your information in an identifiable way for a period of 6 (six) months after you have applied for any of our job applications or have otherwise, unless any specific laws oblige us to keep your personal information for a longer period. Please note that if you request the erasure of your personal information:

• We may retain some of your personal information as necessary for our legitimate interests or in case the information would be required in cases where we need to investigate and respond to claims against us.
• We may retain and use your personal information to the extent necessary to comply with our legal obligations. For example, MYPOS.BG LTDmay keep some of your information for social security, employee protection and safety, tax, legal reporting and auditing obligations.
• Because we maintain our records in a manner protecting from accidental or malicious loss and destruction, residual copies of your personal information may not be removed from our backup systems for a limited period of time, until these backups are destroyed.

V. Your rights.

You may exercise any of the rights described in this section before MYPOS.BG LTD by sending a written request to dpo@mypos.com. Please note that upon receipt of your e-mail we shall try our best to provide you with the requested information and resolve your request in reasonable time, subject to all obligations which we or the related companies have under the applicable laws.

5.1. Managing Your Information.

You have the right to obtain the following:

• confirmation of whether and where we are processing your personal data;
• information about the purposes of the processing;
• information about the categories of data being processed;
• information about the categories of recipients with whom the data may be shared;
• information about the period for which the data will be stored (or the criteria used to determine that period);
• information about the existence of the rights to erasure, to rectification, to restriction of processing and to object to processing;
• information about the existence of the right to complain to any Regulator;
• where the data was not collected from you, information as to the source of the data; and
• information about the existence of, and an explanation of the logic involved in, any automated processing.
• Additionally, you may request a copy of the personal data being processed.

5.2. Rectification of Inaccurate or Incomplete Information.

You have the right to ask us to correct inaccurate or incomplete personal information concerning you.

5.3. Data Access and Portability.

You have the right to:

• receive a copy of your personal data in a structured, commonly used, machine-readable format that supports re-use;
• transfer your personal data from one controller to another;
• store your personal data for further personal use on a private device; and
• have your personal data transmitted directly between controllers without hindrance.

In some jurisdictions, applicable law may entitle you to request copies of your personal information held by us.

5.4. Withdrawing Consent and Restriction of Processing.

Where you have provided your consent to the processing of your personal information by us you may withdraw your consent at any time by sending a communication to us specifying which consent you are withdrawing. Please note that the withdrawal of your consent does not affect the lawfulness of any processing activities based on such consent before its withdrawal.

5.5. Objection to Processing.

In some jurisdictions, applicable law may entitle you to require us not to process your personal information for certain specific purposes in case you object, where such processing is based on legitimate interest. If you object to such processing we will no longer process your personal information for these purposes unless we can demonstrate compelling legitimate grounds for such processing or such processing is required for the establishment, exercise or defence of legal claims.

5.6. How do I complain?

You should in first place try to resolve the matter by sending an e-mail to dpo@mypos.com under this Privacy Notice. In case you wish to bring your complaint further, you may escalate it to the following authority:

Commission for personal data protection
Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592
Email: kzld@cpdp.bg

VI. Operating globally.

To facilitate our global operations we may be required to transfer, store, and process your information within our family of companies or with service providers based in Europe, India, Asia Pacific and North and South America. Because personal data protection laws may differ in these countries, where we transfer store and process your personal information outside of the UK or EEA we have ensured that appropriate safeguards are in place to ensure an adequate level of data protection.

VII. International transfers.

7.1. Adequacy Decisions.

Where we disclose any of your collected personal information outside EEA, we shall comply with any relevant adequacy decision, where possible.

7.2. Other Means to Ensure an Adequate Level of Data Protection.

In case personal information is shared with corporate affiliates or third-party service providers outside the EEA in absence of an adequacy decision, we have - prior to sharing your information with such corporate affiliate or third-party service provider – established the necessary means to ensure an adequate level of data protection and a valid legal ground under the applicable data transfer rules. We will provide further information on the means to ensure an adequate level of data protection on request. This includes transfers from the EEA to the US.

Protection of personal data transferred from or to the United Kingdom of Great Britain and Northern Ireland:

MYPOS.BG LTD is a part of a global group of companies, with operations in the USA, UK and across EEA. Where we transfer any of your collected personal data from or to UK we shall comply with the Decision on the adequate protection of personal data by the United Kingdom - General Data Protection Regulation, dated 28 June 2021.

VIII.Security.

We take the responsibility to ensure that your personal information is secure. To prevent unauthorized access or disclosure of information we maintain physical, electronic and procedural safeguards that comply with applicable regulations to guard non-public personal information.

If you know or have reason to believe that any of your information has been lost, stolen, misappropriated, or otherwise compromised, please contact us following the instructions in the Contact section below.

IX. Changes to this Privacy Notice.

We reserve the right to modify this Privacy Notice at any time in accordance with this provision. If we make changes to this Privacy Notice, we will send you the revised Privacy Notice via email.

X. Contact.

If you have any questions or complaints about this Privacy Notice or our information handling practices, you send us an email at dpo@mypos.com.

PAYMENT TECHNOLGY SARL Candidate Privacy Notice

Effective as of: November 2022

Last update: November 2022

I. PAYMENT TECHNOLGY SARL’ commitment to Privacy

PAYMENT TECHNOLGY SARL is committed to proceeding the personal information of its contractors and provide them with the appropriate safeguards, rights and freedoms, as defined in the applicable legislation, including but not limited to the GDPR and Federal Act on the Protection of Individuals with Regard to the Processing of Personal Data (Data Protection Act (DSG) BGBI. I No. 165/1999).

PAYMENT TECHNOLGY SARL is continuously improving its data processing practices, policies and procedures. Our Privacy Notice aims to provide you with as much transparency over the way we handle your data as possible.

The present Privacy Notice describes how we collect, use, process, and disclose your information, including personal information, as well as your rights as a data subject, in relation to your contract with PAYMENT TECHNOLGY SARL.

1.1. About us

When this Notice mentions “PAYMENT TECHNOLGY SARL”, “we,” “us,” or “our,” it refers to Employer, registered under Company Number 831681705, having seat and registered address in 2 Rue Vilaret de Joyeuse, Paris 75017 France. This company is responsible for your information under the present Privacy Notice.

1.2. Who is this Privacy Notice for?

The present document outlines the data processing activities which PAYMENT TECHNOLGY SARL carries out with respect to its contractors. The present Privacy Notice is not intended for employees or job candidates, for which PAYMENT TECHNOLGY SARL has separate privacy notices. If you are unsure how or if this Privacy Notice applies to you, please contact your Human Resources representative at hr@mypos.com.

II. What data do we collect and process about you?

We collect and maintain different types of personal information about you in accordance with applicable law. Please be aware that any data that is collected under grounds such as legal obligations; or contractual requirement; or a requirement necessary to enter into a contract, is necessary to be processed by us in order to achieve these purposes and we would not be able to maintain adequate legal relationships with you in case you do not provide us with said data. Here is a breakdown of the types of data that we collect directly from you, the legal grounds for the processing and the general types of third-parties that we may share these types of data with.

III. Specific data processing.

In any case, we may share any of your information for specific reasons, outlined below:

1. Sharing data other members of the PAYMENT TECHNOLGY SARL corporate family: We may share your Personal Data with members of the corporate family of PAYMENT TECHNOLGY SARL or within our extended family of companies that are related by common ownership or control, so that we may provide the Services you have requested or authorized or to manage the risk, or to help detect and prevent potentially illegal and fraudulent acts and other violations of our policies and agreements.

2. Aggregated Data. We may also share aggregated information (information about our users that we combine together so that it no longer identifies or references an individual user) and other anonymized information for regulatory compliance, industry and market analysis, demographic profiling and other business purposes.

3. With our legal counsels for the purposes of protecting our legal rights. We may share any information which is necessary to protect our legal rights to legal counsels or similar parties.

4. Business Transfers. If any of the PAYMENT TECHNOLGY SARL holding companies or PAYMENT TECHNOLGY SARL itself is involved in any merger, acquisition, reorganization, sale of assets, bankruptcy, or insolvency event, then we may sell, transfer or share some or all of our assets, including your information in connection with such transaction or in contemplation of such transaction (e.g., due diligence). In this event, we will notify you before your personal information is transferred to a different legal person and/or becomes subject to a different Privacy Notice.

IV. Data Retention and Erasure.

We generally retain your personal information for as long as is necessary for the performance of the contract between you and us and to comply with our regulatory obligations. Generally, we continue to keep your information in an identifiable way for a period of 3 (three) years after the termination of your contract, unless any specific laws oblige us to keep your personal information for a longer period. Please note that if you request the erasure of your personal information:

• We may retain some of your personal information as necessary for our legitimate interests or in case the information would be required in cases where we need to investigate and respond to claims against us.
• We may retain and use your personal information to the extent necessary to comply with our legal obligations. For example, PAYMENT TECHNOLGY SARL may keep some of your information for social security, employee protection and safety, tax, legal reporting and auditing obligations.
• Because we maintain our records in a manner protecting from accidental or malicious loss and destruction, residual copies of your personal information may not be removed from our backup systems for a limited period of time, until these backups are destroyed.

V. Your rights.

You may exercise any of the rights described in this section before PAYMENT TECHNOLGY SARL by sending a written request to dpo@mypos.com. Please note that upon receipt of your e-mail we shall try our best to provide you with the requested information and resolve your request in reasonable time, subject to all obligations which we or the related companies have under the applicable laws.

5.1. Managing Your Information.

You have the right to obtain the following:

• confirmation of whether and where we are processing your personal data;
• information about the purposes of the processing;
• information about the categories of data being processed;
• information about the categories of recipients with whom the data may be shared;
• information about the period for which the data will be stored (or the criteria used to determine that period);
• information about the existence of the rights to erasure, to rectification, to restriction of processing and to object to processing;
• information about the existence of the right to complain to any Regulator;
• where the data was not collected from you, information as to the source of the data; and
• information about the existence of, and an explanation of the logic involved in, any automated processing.
• Additionally, you may request a copy of the personal data being processed.

5.2. Rectification of Inaccurate or Incomplete Information.

You have the right to ask us to correct inaccurate or incomplete personal information concerning you

5.3. Data Access and Portability.

You have the right to:

• receive a copy of your personal data in a structured, commonly used, machine-readable format that supports re-use;
• transfer your personal data from one controller to another;
• store your personal data for further personal use on a private device; and
• have your personal data transmitted directly between controllers without hindrance.

In some jurisdictions, applicable law may entitle you to request copies of your personal information held by us.

5.4. Withdrawing Consent and Restriction of Processing.

Where you have provided your consent to the processing of your personal information by us you may withdraw your consent at any time by sending a communication to us specifying which consent you are withdrawing. Please note that the withdrawal of your consent does not affect the lawfulness of any processing activities based on such consent before its withdrawal.

5.5. Objection to Processing.

In some jurisdictions, applicable law may entitle you to require us not to process your personal information for certain specific purposes in case you object, where such processing is based on legitimate interest. If you object to such processing we will no longer process your personal information for these purposes unless we can demonstrate compelling legitimate grounds for such processing or such processing is required for the establishment, exercise or defence of legal claims.

5.6. How do I complain?

You should in first place try to resolve the matter by sending an e-mail to dpo@mypos.com under this Privacy Notice. In case you wish to bring your complaint further, you may escalate it to the following authority:

France – CNIL

3 Place de Fontenoy
TSA 80715
75334 PARIS CEDEX 07
FRANCE
https://www.cnil.fr/fr/contacter-la-cnil-standard-et-permanences-telephoniques

VI.Operating globally.

To facilitate our global operations, we may be required to transfer, store, and process your information within our family of companies or with service providers based in Europe and North and South America. Because personal data protection laws may differ in these countries, where we transfer store and process your personal information outside of the UK or EEA we have ensured that appropriate safeguards are in place to ensure an adequate level of data protection.

VII. International transfers.

7.1. Adequacy Decisions.

Where we disclose any of your collected personal information outside EEA, we shall comply with any relevant adequacy decision, where possible.

7.2. Other Means to Ensure an Adequate Level of Data Protection.

In case personal information is shared with corporate affiliates or third-party service providers outside the EEA in absence of an adequacy decision, we have - prior to sharing your information with such corporate affiliate or third-party service provider – established the necessary means to ensure an adequate level of data protection and a valid legal ground under the applicable data transfer rules. We will provide further information on the means to ensure an adequate level of data protection on request. This includes transfers from the EEA to the US.

Protection of personal data transferred from or to the United Kingdom of Great Britain and Northern Ireland:

PAYMENT TECHNOLGY SARL is a part of a global group of companies, with operations in the USA, UK and across EEA. Where we transfer any of your collected personal data from or to UK we shall comply with the Decision on the adequate protection of personal data by the United Kingdom - General Data Protection Regulation, dated 28 June 2021.

VIII. Security.

We take the responsibility to ensure that your personal information is secure. To prevent unauthorized access or disclosure of information we maintain physical, electronic and procedural safeguards that comply with applicable regulations to guard non-public personal information.

If you know or have reason to believe that any of your information has been lost, stolen, misappropriated, or otherwise compromised, please contact us following the instructions in the Contact section below.

IX.Changes to this Privacy Notice.

We reserve the right to modify this Privacy Notice at any time in accordance with this provision. If we make changes to this Privacy Notice, we will send you the revised Privacy Notice via email.

X. Contact.

If you have any questions or complaints about this Privacy Notice or our information handling practices, you send us an email at dpo@mypos.com.

MYPOS ITALY SRL Candidate Privacy Notice

Effective as of: November 2022

Last update: November 2022

I. MYPOS ITALY SRL’ commitment to Privacy

MYPOS ITALY SRL is committed to proceeding the personal information of its contractors and provide them with the appropriate safeguards, rights and freedoms, as defined in the applicable legislation, including but not limited to the GDPR and The Data Protection Code.

MYPOS ITALY SRL is continuously improving its data processing practices, policies and procedures. Our Privacy Notice aims to provide you with as much transparency over the way we handle your data as possible.

The present Privacy Notice describes how we collect, use, process, and disclose your information, including personal information, as well as your rights as a data subject, in relation to your contract with MYPOS ITALY SRL.

1.1. About us

When this Notice mentions “MYPOS ITALY SRL”, “we,” “us,” or “our,” it refers to Employer, registered under Company Number 10439670968, having seat and registered address in Milano – Corso Europa n.11, Italy. This company is responsible for your information under the present Privacy Notice.

1.2. Who is this Privacy Notice for?

The present document outlines the data processing activities which MYPOS ITALY SRL carries out with respect to its contractors. The present Privacy Notice is not intended for employees or job candidates, for which MYPOS ITALY SRL has separate privacy notices. If you are unsure how or if this Privacy Notice applies to you, please contact your Human Resources representative at hr@mypos.com.

II. What data do we collect and process about you?

We collect and maintain different types of personal information about you in accordance with applicable law. Please be aware that any data that is collected under grounds such as legal obligations; or contractual requirement; or a requirement necessary to enter into a contract, is necessary to be processed by us in order to achieve these purposes and we would not be able to maintain adequate legal relationships with you in case you do not provide us with said data. Here is a breakdown of the types of data that we collect directly from you, the legal grounds for the processing and the general types of third-parties that we may share these types of data with.

III. Specific data processing.

In any case, we may share any of your information for specific reasons, outlined below:

1. Sharing data other members of the MYPOS ITALY SRL corporate family: We may share your Personal Data with members of the corporate family of MYPOS ITALY SRL or within our extended family of companies that are related by common ownership or control, so that we may provide the Services you have requested or authorized or to manage the risk, or to help detect and prevent potentially illegal and fraudulent acts and other violations of our policies and agreements.

2. Aggregated Data. We may also share aggregated information (information about our users that we combine together so that it no longer identifies or references an individual user) and other anonymized information for regulatory compliance, industry and market analysis, demographic profiling and other business purposes.

3. With our legal counsels for the purposes of protecting our legal rights. We may share any information which is necessary to protect our legal rights to legal counsels or similar parties.

4. Business Transfers. If any of the MYPOS ITALY SRL holding companies or MYPOS ITALY SRL itself is involved in any merger, acquisition, reorganization, sale of assets, bankruptcy, or insolvency event, then we may sell, transfer or share some or all of our assets, including your information in connection with such transaction or in contemplation of such transaction (e.g., due diligence). In this event, we will notify you before your personal information is transferred to a different legal person and/or becomes subject to a different Privacy Notice.

IV. Data Retention and Erasure.

We generally retain your personal information for as long as is necessary for the performance of the contract between you and us and to comply with our regulatory obligations. Generally, we continue to keep your information in an identifiable way for a period of 3 (three) years after the termination of your contract, unless any specific laws oblige us to keep your personal information for a longer period. Please note that if you request the erasure of your personal information:

• We may retain some of your personal information as necessary for our legitimate interests or in case the information would be required in cases where we need to investigate and respond to claims against us.
• We may retain and use your personal information to the extent necessary to comply with our legal obligations. For example, MYPOS ITALY SRL may keep some of your information for social security, employee protection and safety, tax, legal reporting and auditing obligations.
• Because we maintain our records in a manner protecting from accidental or malicious loss and destruction, residual copies of your personal information may not be removed from our backup systems for a limited period of time, until these backups are destroyed.

V. Your rights.

You may exercise any of the rights described in this section before MYPOS ITALY SRL by sending a written request to dpo@mypos.com. Please note that upon receipt of your e-mail we shall try our best to provide you with the requested information and resolve your request in reasonable time, subject to all obligations which we or the related companies have under the applicable laws.

5.1. Managing Your Information.

You have the right to obtain the following:

• confirmation of whether and where we are processing your personal data;
• information about the purposes of the processing;
• information about the categories of data being processed;
• information about the categories of recipients with whom the data may be shared;
• information about the period for which the data will be stored (or the criteria used to determine that period);
• information about the existence of the rights to erasure, to rectification, to restriction of processing and to object to processing;
• information about the existence of the right to complain to any Regulator;
• where the data was not collected from you, information as to the source of the data; and
• information about the existence of, and an explanation of the logic involved in, any automated processing.
• Additionally, you may request a copy of the personal data being processed.

5.2. Rectification of Inaccurate or Incomplete Information.

You have the right to ask us to correct inaccurate or incomplete personal information concerning you

5.3. Data Access and Portability.

You have the right to:

• receive a copy of your personal data in a structured, commonly used, machine-readable format that supports re-use;
• transfer your personal data from one controller to another;
• store your personal data for further personal use on a private device; and
• have your personal data transmitted directly between controllers without hindrance.

In some jurisdictions, applicable law may entitle you to request copies of your personal information held by us.

5.4. Withdrawing Consent and Restriction of Processing.

Where you have provided your consent to the processing of your personal information by us you may withdraw your consent at any time by sending a communication to us specifying which consent you are withdrawing. Please note that the withdrawal of your consent does not affect the lawfulness of any processing activities based on such consent before its withdrawal.

5.5. Objection to Processing.

In some jurisdictions, applicable law may entitle you to require us not to process your personal information for certain specific purposes in case you object, where such processing is based on legitimate interest. If you object to such processing we will no longer process your personal information for these purposes unless we can demonstrate compelling legitimate grounds for such processing or such processing is required for the establishment, exercise or defence of legal claims.

5.6. How do I complain?

You should in first place try to resolve the matter by sending an e-mail to dpo@mypos.com under this Privacy Notice. In case you wish to bring your complaint further, you may escalate it to the following authority:

Garante per la protezione dei dati personali

Piazza Venezia 11 - 00187 Roma (Italy)
Phone: +39 06.696771
Email account: protocollo@gpdp.it

VI.Operating globally.

To facilitate our global operations, we may be required to transfer, store, and process your information within our family of companies or with service providers based in Europe and North and South America. Because personal data protection laws may differ in these countries, where we transfer store and process your personal information outside of the UK or EEA we have ensured that appropriate safeguards are in place to ensure an adequate level of data protection.

VII. International transfers.

7.1. Adequacy Decisions.

Where we disclose any of your collected personal information outside EEA, we shall comply with any relevant adequacy decision, where possible.

7.2. Other Means to Ensure an Adequate Level of Data Protection.

In case personal information is shared with corporate affiliates or third-party service providers outside the EEA in absence of an adequacy decision, we have - prior to sharing your information with such corporate affiliate or third-party service provider – established the necessary means to ensure an adequate level of data protection and a valid legal ground under the applicable data transfer rules. We will provide further information on the means to ensure an adequate level of data protection on request. This includes transfers from the EEA to the US.

Protection of personal data transferred from or to the United Kingdom of Great Britain and Northern Ireland:

MYPOS ITALY SRL is a part of a global group of companies, with operations in the USA, UK and across EEA. Where we transfer any of your collected personal data from or to UK we shall comply with the Decision on the adequate protection of personal data by the United Kingdom - General Data Protection Regulation, dated 28 June 2021.

VIII. Security.

We take the responsibility to ensure that your personal information is secure. To prevent unauthorized access or disclosure of information we maintain physical, electronic and procedural safeguards that comply with applicable regulations to guard non-public personal information.

If you know or have reason to believe that any of your information has been lost, stolen, misappropriated, or otherwise compromised, please contact us following the instructions in the Contact section below.

IX.Changes to this Privacy Notice.

We reserve the right to modify this Privacy Notice at any time in accordance with this provision. If we make changes to this Privacy Notice, we will send you the revised Privacy Notice via email.

X. Contact.

If you have any questions or complaints about this Privacy Notice or our information handling practices, you send us an email at dpo@mypos.com.

MYPOS.AT GMBH Candidate Privacy Notice

Effective as of: November 2022

Last update: November 2022

I. MYPOS.AT GMBH’ commitment to Privacy

MYPOS.AT GMBH is committed to proceeding the personal information of its contractors and provide them with the appropriate safeguards, rights and freedoms, as defined in the applicable legislation, including but not limited to the GDPR and Federal Act on the Protection of Individuals with Regard to the Processing of Personal Data (Data Protection Act (DSG) BGBI. I No. 165/1999).

MYPOS.AT GMBH is continuously improving its data processing practices, policies and procedures. Our Privacy Notice aims to provide you with as much transparency over the way we handle your data as possible.

The present Privacy Notice describes how we collect, use, process, and disclose your information, including personal information, as well as your rights as a data subject, in relation to your contract with MYPOS.AT GMBH.

1.1. About us

When this Notice mentions “MYPOS.AT GMBH”, “we,” “us,” or “our,” it refers to Employer, registered under Company Number 496572, having seat and registered address in Jordangasse 7/12, 1010 Vienna, Austria, Netherlands. This company is responsible for your information under the present Privacy Notice.

1.2. Who is this Privacy Notice for?

The present document outlines the data processing activities which MYPOS.AT GMBH carries out with respect to its contractors. The present Privacy Notice is not intended for employees or job candidates, for which MYPOS.AT GMBH has separate privacy notices. If you are unsure how or if this Privacy Notice applies to you, please contact your Human Resources representative at hr@mypos.com.

II. What data do we collect and process about you?

We collect and maintain different types of personal information about you in accordance with applicable law. Please be aware that any data that is collected under grounds such as legal obligations; or contractual requirement; or a requirement necessary to enter into a contract, is necessary to be processed by us in order to achieve these purposes and we would not be able to maintain adequate legal relationships with you in case you do not provide us with said data. Here is a breakdown of the types of data that we collect directly from you, the legal grounds for the processing and the general types of third-parties that we may share these types of data with.

III. Specific data processing.

In any case, we may share any of your information for specific reasons, outlined below:

1. Sharing data other members of the MYPOS.AT GMBH corporate family: We may share your Personal Data with members of the corporate family of MYPOS.AT GMBH or within our extended family of companies that are related by common ownership or control, so that we may provide the Services you have requested or authorized or to manage the risk, or to help detect and prevent potentially illegal and fraudulent acts and other violations of our policies and agreements.

2. Aggregated Data. We may also share aggregated information (information about our users that we combine together so that it no longer identifies or references an individual user) and other anonymized information for regulatory compliance, industry and market analysis, demographic profiling and other business purposes.

3. With our legal counsels for the purposes of protecting our legal rights. We may share any information which is necessary to protect our legal rights to legal counsels or similar parties.

4. Business Transfers. If any of the MYPOS.AT GMBH holding companies or MYPOS.AT GMBH itself is involved in any merger, acquisition, reorganization, sale of assets, bankruptcy, or insolvency event, then we may sell, transfer or share some or all of our assets, including your information in connection with such transaction or in contemplation of such transaction (e.g., due diligence). In this event, we will notify you before your personal information is transferred to a different legal person and/or becomes subject to a different Privacy Notice.

IV. Data Retention and Erasure.

We generally retain your personal information for as long as is necessary for the performance of the contract between you and us and to comply with our regulatory obligations. Generally, we continue to keep your information in an identifiable way for a period of 3 (three) years after the termination of your contract, unless any specific laws oblige us to keep your personal information for a longer period. Please note that if you request the erasure of your personal information:

• We may retain some of your personal information as necessary for our legitimate interests or in case the information would be required in cases where we need to investigate and respond to claims against us.
• We may retain and use your personal information to the extent necessary to comply with our legal obligations. For example, MYPOS.AT GMBH may keep some of your information for social security, employee protection and safety, tax, legal reporting and auditing obligations.
• Because we maintain our records in a manner protecting from accidental or malicious loss and destruction, residual copies of your personal information may not be removed from our backup systems for a limited period of time, until these backups are destroyed.

V. Your rights.

You may exercise any of the rights described in this section before MYPOS.AT GMBH by sending a written request to dpo@mypos.com. Please note that upon receipt of your e-mail we shall try our best to provide you with the requested information and resolve your request in reasonable time, subject to all obligations which we or the related companies have under the applicable laws.

5.1. Managing Your Information.

You have the right to obtain the following:

• confirmation of whether and where we are processing your personal data;
• information about the purposes of the processing;
• information about the categories of data being processed;
• information about the categories of recipients with whom the data may be shared;
• information about the period for which the data will be stored (or the criteria used to determine that period);
• information about the existence of the rights to erasure, to rectification, to restriction of processing and to object to processing;
• information about the existence of the right to complain to any Regulator;
• where the data was not collected from you, information as to the source of the data; and
• information about the existence of, and an explanation of the logic involved in, any automated processing.
• Additionally, you may request a copy of the personal data being processed.

5.2. Rectification of Inaccurate or Incomplete Information.

You have the right to ask us to correct inaccurate or incomplete personal information concerning you

5.3. Data Access and Portability.

You have the right to:

• receive a copy of your personal data in a structured, commonly used, machine-readable format that supports re-use;
• transfer your personal data from one controller to another;
• store your personal data for further personal use on a private device; and
• have your personal data transmitted directly between controllers without hindrance.

In some jurisdictions, applicable law may entitle you to request copies of your personal information held by us.

5.4. Withdrawing Consent and Restriction of Processing.

Where you have provided your consent to the processing of your personal information by us you may withdraw your consent at any time by sending a communication to us specifying which consent you are withdrawing. Please note that the withdrawal of your consent does not affect the lawfulness of any processing activities based on such consent before its withdrawal.

5.5. Objection to Processing.

In some jurisdictions, applicable law may entitle you to require us not to process your personal information for certain specific purposes in case you object, where such processing is based on legitimate interest. If you object to such processing we will no longer process your personal information for these purposes unless we can demonstrate compelling legitimate grounds for such processing or such processing is required for the establishment, exercise or defence of legal claims.

5.6. How do I complain?

You should in first place try to resolve the matter by sending an e-mail to dpo@mypos.com under this Privacy Notice. In case you wish to bring your complaint further, you may escalate it to the following authority:

Austrian Data Protection Authority

Barichgasse 40-42,
1030 Vienna
Austria / Europe
E-Mail: dsb@dsb.gv.at

VI.Operating globally.

To facilitate our global operations, we may be required to transfer, store, and process your information within our family of companies or with service providers based in Europe and North and South America. Because personal data protection laws may differ in these countries, where we transfer store and process your personal information outside of the UK or EEA we have ensured that appropriate safeguards are in place to ensure an adequate level of data protection.

VII. International transfers.

7.1. Adequacy Decisions.

Where we disclose any of your collected personal information outside EEA, we shall comply with any relevant adequacy decision, where possible.

7.2. Other Means to Ensure an Adequate Level of Data Protection.

In case personal information is shared with corporate affiliates or third-party service providers outside the EEA in absence of an adequacy decision, we have - prior to sharing your information with such corporate affiliate or third-party service provider – established the necessary means to ensure an adequate level of data protection and a valid legal ground under the applicable data transfer rules. We will provide further information on the means to ensure an adequate level of data protection on request. This includes transfers from the EEA to the US.

Protection of personal data transferred from or to the United Kingdom of Great Britain and Northern Ireland:

MYPOS.AT GMBH is a part of a global group of companies, with operations in the USA, UK and across EEA. Where we transfer any of your collected personal data from or to UK we shall comply with the Decision on the adequate protection of personal data by the United Kingdom - General Data Protection Regulation, dated 28 June 2021.

VIII. Security.

We take the responsibility to ensure that your personal information is secure. To prevent unauthorized access or disclosure of information we maintain physical, electronic and procedural safeguards that comply with applicable regulations to guard non-public personal information.

If you know or have reason to believe that any of your information has been lost, stolen, misappropriated, or otherwise compromised, please contact us following the instructions in the Contact section below.

IX.Changes to this Privacy Notice.

We reserve the right to modify this Privacy Notice at any time in accordance with this provision. If we make changes to this Privacy Notice, we will send you the revised Privacy Notice via email.

X. Contact.

If you have any questions or complaints about this Privacy Notice or our information handling practices, you send us an email at dpo@mypos.com.

MYPOS BELGIUM B.V.’ Candidate Privacy Notice

Effective as of: November 2022

Last update: November 2022

I. MYPOS BELGIUM B.V.’’ commitment to Privacy

MYPOS BELGIUM B.V.’ is committed to proceeding the personal information of its contractors and provide them with the appropriate safeguards, rights and freedoms, as defined in the applicable legislation, including but not limited to the GDPR and Act of 30 July 2018 on the Protection of Natural Persons with Regard to the Processing of Personal Data.

MYPOS BELGIUM B.V.’ is continuously improving its data processing practices, policies and procedures. Our Privacy Notice aims to provide you with as much transparency over the way we handle your data as possible.

The present Privacy Notice describes how we collect, use, process, and disclose your information, including personal information, as well as your rights as a data subject, in relation to your contract with MYPOS BELGIUM B.V.’

1.1. About us

When this Notice mentions “MYPOS BELGIUM B.V.’”, “we,” “us,” or “our,” it refers to Employer, registered under Company Number 0715961057, having seat and registered address in Drukkerijstraat 16 2000 Antwerpen, Belgium. This company is responsible for your information under the present Privacy Notice.

1.2. Who is this Privacy Notice for?

The present document outlines the data processing activities which MYPOS BELGIUM B.V.’ carries out with respect to its contractors. The present Privacy Notice is not intended for employees or job candidates, for which MYPOS BELGIUM B.V.’ has separate privacy notices. If you are unsure how or if this Privacy Notice applies to you, please contact your Human Resources representative at hr@mypos.com.

II. What data do we collect and process about you?

We collect and maintain different types of personal information about you in accordance with applicable law. Please be aware that any data that is collected under grounds such as legal obligations; or contractual requirement; or a requirement necessary to enter into a contract, is necessary to be processed by us in order to achieve these purposes and we would not be able to maintain adequate legal relationships with you in case you do not provide us with said data. Here is a breakdown of the types of data that we collect directly from you, the legal grounds for the processing and the general types of third-parties that we may share these types of data with.

III. Specific data processing.

In any case, we may share any of your information for specific reasons, outlined below:

1. Sharing data other members of the MYPOS BELGIUM B.V.’ corporate family: We may share your Personal Data with members of the corporate family of MYPOS BELGIUM B.V.’ or within our extended family of companies that are related by common ownership or control, so that we may provide the Services you have requested or authorized or to manage the risk, or to help detect and prevent potentially illegal and fraudulent acts and other violations of our policies and agreements.

2. Aggregated Data. We may also share aggregated information (information about our users that we combine together so that it no longer identifies or references an individual user) and other anonymized information for regulatory compliance, industry and market analysis, demographic profiling and other business purposes.

3. With our legal counsels for the purposes of protecting our legal rights. We may share any information which is necessary to protect our legal rights to legal counsels or similar parties.

4. Business Transfers. If any of the MYPOS BELGIUM B.V.’ holding companies or MYPOS BELGIUM B.V.’ itself is involved in any merger, acquisition, reorganization, sale of assets, bankruptcy, or insolvency event, then we may sell, transfer or share some or all of our assets, including your information in connection with such transaction or in contemplation of such transaction (e.g., due diligence). In this event, we will notify you before your personal information is transferred to a different legal person and/or becomes subject to a different Privacy Notice.

IV. Data Retention and Erasure.

We generally retain your personal information for as long as is necessary for the performance of the contract between you and us and to comply with our regulatory obligations. Generally, we continue to keep your information in an identifiable way for a period of 3 (three) years after the termination of your contract, unless any specific laws oblige us to keep your personal information for a longer period. Please note that if you request the erasure of your personal information:

• We may retain some of your personal information as necessary for our legitimate interests or in case the information would be required in cases where we need to investigate and respond to claims against us.
• We may retain and use your personal information to the extent necessary to comply with our legal obligations. For example, MYPOS BELGIUM B.V.’ may keep some of your information for social security, employee protection and safety, tax, legal reporting and auditing obligations.
• Because we maintain our records in a manner protecting from accidental or malicious loss and destruction, residual copies of your personal information may not be removed from our backup systems for a limited period of time, until these backups are destroyed.

V. Your rights.

You may exercise any of the rights described in this section before MYPOS BELGIUM B.V.’ by sending a written request to dpo@mypos.com. Please note that upon receipt of your e-mail we shall try our best to provide you with the requested information and resolve your request in reasonable time, subject to all obligations which we or the related companies have under the applicable laws.

5.1. Managing Your Information.

You have the right to obtain the following:

• confirmation of whether and where we are processing your personal data;
• information about the purposes of the processing;
• information about the categories of data being processed;
• information about the categories of recipients with whom the data may be shared;
• information about the period for which the data will be stored (or the criteria used to determine that period);
• information about the existence of the rights to erasure, to rectification, to restriction of processing and to object to processing;
• information about the existence of the right to complain to any Regulator;
• where the data was not collected from you, information as to the source of the data; and
• information about the existence of, and an explanation of the logic involved in, any automated processing.
• Additionally, you may request a copy of the personal data being processed.

5.2. Rectification of Inaccurate or Incomplete Information.

You have the right to ask us to correct inaccurate or incomplete personal information concerning you

5.3. Data Access and Portability.

You have the right to:

• receive a copy of your personal data in a structured, commonly used, machine-readable format that supports re-use;
• transfer your personal data from one controller to another;
• store your personal data for further personal use on a private device; and
• have your personal data transmitted directly between controllers without hindrance.

In some jurisdictions, applicable law may entitle you to request copies of your personal information held by us.

5.4. Withdrawing Consent and Restriction of Processing.

Where you have provided your consent to the processing of your personal information by us you may withdraw your consent at any time by sending a communication to us specifying which consent you are withdrawing. Please note that the withdrawal of your consent does not affect the lawfulness of any processing activities based on such consent before its withdrawal.

5.5. Objection to Processing.

In some jurisdictions, applicable law may entitle you to require us not to process your personal information for certain specific purposes in case you object, where such processing is based on legitimate interest. If you object to such processing we will no longer process your personal information for these purposes unless we can demonstrate compelling legitimate grounds for such processing or such processing is required for the establishment, exercise or defence of legal claims.

5.6. How do I complain?

You should in first place try to resolve the matter by sending an e-mail to dpo@mypos.com under this Privacy Notice. In case you wish to bring your complaint further, you may escalate it to the following authority:

Autoriteit Persoonsgegevens

PO Box 93374
2509 AJ DEN HAAG
Telephone number: (+31) - (0)70 - 888 85 00

VI.Operating globally.

To facilitate our global operations, we may be required to transfer, store, and process your information within our family of companies or with service providers based in Europe and North and South America. Because personal data protection laws may differ in these countries, where we transfer store and process your personal information outside of the UK or EEA we have ensured that appropriate safeguards are in place to ensure an adequate level of data protection.

VII. International transfers.

7.1. Adequacy Decisions.

Where we disclose any of your collected personal information outside EEA, we shall comply with any relevant adequacy decision, where possible.

7.2. Other Means to Ensure an Adequate Level of Data Protection.

In case personal information is shared with corporate affiliates or third-party service providers outside the EEA in absence of an adequacy decision, we have - prior to sharing your information with such corporate affiliate or third-party service provider – established the necessary means to ensure an adequate level of data protection and a valid legal ground under the applicable data transfer rules. We will provide further information on the means to ensure an adequate level of data protection on request. This includes transfers from the EEA to the US.

Protection of personal data transferred from or to the United Kingdom of Great Britain and Northern Ireland:

MYPOS BELGIUM B.V.’ is a part of a global group of companies, with operations in the USA, UK and across EEA. Where we transfer any of your collected personal data from or to UK we shall comply with the Decision on the adequate protection of personal data by the United Kingdom - General Data Protection Regulation, dated 28 June 2021.

VIII. Security.

We take the responsibility to ensure that your personal information is secure. To prevent unauthorized access or disclosure of information we maintain physical, electronic and procedural safeguards that comply with applicable regulations to guard non-public personal information.

If you know or have reason to believe that any of your information has been lost, stolen, misappropriated, or otherwise compromised, please contact us following the instructions in the Contact section below.

IX.Changes to this Privacy Notice.

We reserve the right to modify this Privacy Notice at any time in accordance with this provision. If we make changes to this Privacy Notice, we will send you the revised Privacy Notice via email.

X. Contact.

If you have any questions or complaints about this Privacy Notice or our information handling practices, you send us an email at dpo@mypos.com.

MYPOS NETHERLANDS B.V. Candidate Privacy Notice

Effective as of: November 2022

Last update: November 2022

I. MYPOS NETHERLANDS B.V.’ commitment to Privacy

MYPOS NETHERLANDS B.V. is committed to proceeding the personal information of its contractors and provide them with the appropriate safeguards, rights and freedoms, as defined in the applicable legislation, including but not limited to the GDPR and The GDPR Implementing act.

MYPOS NETHERLANDS B.V. is continuously improving its data processing practices, policies and procedures. Our Privacy Notice aims to provide you with as much transparency over the way we handle your data as possible.

The present Privacy Notice describes how we collect, use, process, and disclose your information, including personal information, as well as your rights as a data subject, in relation to your contract with MYPOS NETHERLANDS B.V..

1.1. About us

When this Notice mentions “MYPOS NETHERLANDS B.V.”, “we,” “us,” or “our,” it refers to Employer, registered under Company Number 75413329, having seat and registered address in Tilburg, 50 Tivolistraat, Netherlands. This company is responsible for your information under the present Privacy Notice.

1.2. Who is this Privacy Notice for?

The present document outlines the data processing activities which MYPOS NETHERLANDS B.V. carries out with respect to its contractors. The present Privacy Notice is not intended for employees or job candidates, for which MYPOS NETHERLANDS B.V. has separate privacy notices. If you are unsure how or if this Privacy Notice applies to you, please contact your Human Resources representative at hr@mypos.com.

II. What data do we collect and process about you?

We collect and maintain different types of personal information about you in accordance with applicable law. Please be aware that any data that is collected under grounds such as legal obligations; or contractual requirement; or a requirement necessary to enter into a contract, is necessary to be processed by us in order to achieve these purposes and we would not be able to maintain adequate legal relationships with you in case you do not provide us with said data. Here is a breakdown of the types of data that we collect directly from you, the legal grounds for the processing and the general types of third-parties that we may share these types of data with.

III. Specific data processing.

In any case, we may share any of your information for specific reasons, outlined below:

1. Sharing data other members of the MYPOS NETHERLANDS B.V. corporate family: We may share your Personal Data with members of the corporate family of MYPOS NETHERLANDS B.V. or within our extended family of companies that are related by common ownership or control, so that we may provide the Services you have requested or authorized or to manage the risk, or to help detect and prevent potentially illegal and fraudulent acts and other violations of our policies and agreements.

2. Aggregated Data. We may also share aggregated information (information about our users that we combine together so that it no longer identifies or references an individual user) and other anonymized information for regulatory compliance, industry and market analysis, demographic profiling and other business purposes.

3. With our legal counsels for the purposes of protecting our legal rights. We may share any information which is necessary to protect our legal rights to legal counsels or similar parties.

4. Business Transfers. If any of the MYPOS NETHERLANDS B.V. holding companies or MYPOS NETHERLANDS B.V. itself is involved in any merger, acquisition, reorganization, sale of assets, bankruptcy, or insolvency event, then we may sell, transfer or share some or all of our assets, including your information in connection with such transaction or in contemplation of such transaction (e.g., due diligence). In this event, we will notify you before your personal information is transferred to a different legal person and/or becomes subject to a different Privacy Notice.

IV. Data Retention and Erasure.

We generally retain your personal information for as long as is necessary for the performance of the contract between you and us and to comply with our regulatory obligations. Generally, we continue to keep your information in an identifiable way for a period of 3 (three) years after the termination of your contract, unless any specific laws oblige us to keep your personal information for a longer period. Please note that if you request the erasure of your personal information:

• We may retain some of your personal information as necessary for our legitimate interests or in case the information would be required in cases where we need to investigate and respond to claims against us.
• We may retain and use your personal information to the extent necessary to comply with our legal obligations. For example, MYPOS NETHERLANDS B.V. may keep some of your information for social security, employee protection and safety, tax, legal reporting and auditing obligations.
• Because we maintain our records in a manner protecting from accidental or malicious loss and destruction, residual copies of your personal information may not be removed from our backup systems for a limited period of time, until these backups are destroyed.

V. Your rights.

You may exercise any of the rights described in this section before MYPOS NETHERLANDS B.V. by sending a written request to dpo@mypos.com. Please note that upon receipt of your e-mail we shall try our best to provide you with the requested information and resolve your request in reasonable time, subject to all obligations which we or the related companies have under the applicable laws.

5.1. Managing Your Information.

You have the right to obtain the following:

• confirmation of whether and where we are processing your personal data;
• information about the purposes of the processing;
• information about the categories of data being processed;
• information about the categories of recipients with whom the data may be shared;
• information about the period for which the data will be stored (or the criteria used to determine that period);
• information about the existence of the rights to erasure, to rectification, to restriction of processing and to object to processing;
• information about the existence of the right to complain to any Regulator;
• where the data was not collected from you, information as to the source of the data; and
• information about the existence of, and an explanation of the logic involved in, any automated processing.
• Additionally, you may request a copy of the personal data being processed.

5.2. Rectification of Inaccurate or Incomplete Information.

You have the right to ask us to correct inaccurate or incomplete personal information concerning you

5.3. Data Access and Portability.

You have the right to:

• receive a copy of your personal data in a structured, commonly used, machine-readable format that supports re-use;
• transfer your personal data from one controller to another;
• store your personal data for further personal use on a private device; and
• have your personal data transmitted directly between controllers without hindrance.

In some jurisdictions, applicable law may entitle you to request copies of your personal information held by us.

5.4. Withdrawing Consent and Restriction of Processing.

Where you have provided your consent to the processing of your personal information by us you may withdraw your consent at any time by sending a communication to us specifying which consent you are withdrawing. Please note that the withdrawal of your consent does not affect the lawfulness of any processing activities based on such consent before its withdrawal.

5.5. Objection to Processing.

In some jurisdictions, applicable law may entitle you to require us not to process your personal information for certain specific purposes in case you object, where such processing is based on legitimate interest. If you object to such processing we will no longer process your personal information for these purposes unless we can demonstrate compelling legitimate grounds for such processing or such processing is required for the establishment, exercise or defence of legal claims.

5.6. How do I complain?

You should in first place try to resolve the matter by sending an e-mail to dpo@mypos.com under this Privacy Notice. In case you wish to bring your complaint further, you may escalate it to the following authority:

Autoriteit Persoonsgegevens

PO Box 93374
2509 AJ DEN HAAG
Telephone number: (+31) - (0)70 - 888 85 00

VI.Operating globally.

To facilitate our global operations, we may be required to transfer, store, and process your information within our family of companies or with service providers based in Europe and North and South America. Because personal data protection laws may differ in these countries, where we transfer store and process your personal information outside of the UK or EEA we have ensured that appropriate safeguards are in place to ensure an adequate level of data protection.

VII. International transfers.

7.1. Adequacy Decisions.

Where we disclose any of your collected personal information outside EEA, we shall comply with any relevant adequacy decision, where possible.

7.2. Other Means to Ensure an Adequate Level of Data Protection.

In case personal information is shared with corporate affiliates or third-party service providers outside the EEA in absence of an adequacy decision, we have - prior to sharing your information with such corporate affiliate or third-party service provider – established the necessary means to ensure an adequate level of data protection and a valid legal ground under the applicable data transfer rules. We will provide further information on the means to ensure an adequate level of data protection on request. This includes transfers from the EEA to the US.

Protection of personal data transferred from or to the United Kingdom of Great Britain and Northern Ireland:

MYPOS NETHERLANDS B.V. is a part of a global group of companies, with operations in the USA, UK and across EEA. Where we transfer any of your collected personal data from or to UK we shall comply with the Decision on the adequate protection of personal data by the United Kingdom - General Data Protection Regulation, dated 28 June 2021.

VIII. Security.

We take the responsibility to ensure that your personal information is secure. To prevent unauthorized access or disclosure of information we maintain physical, electronic and procedural safeguards that comply with applicable regulations to guard non-public personal information.

If you know or have reason to believe that any of your information has been lost, stolen, misappropriated, or otherwise compromised, please contact us following the instructions in the Contact section below.

IX.Changes to this Privacy Notice.

We reserve the right to modify this Privacy Notice at any time in accordance with this provision. If we make changes to this Privacy Notice, we will send you the revised Privacy Notice via email.

X. Contact.

If you have any questions or complaints about this Privacy Notice or our information handling practices, you send us an email at dpo@mypos.com.

MYPOS PORTUGAL PAYMENT TECHNOLOGIES LDA Candidate Privacy Notice

Effective as of November 2022

Last update: November 2022

I. MYPOS PORTUGAL PAYMENT TECHNOLOGIES LDA’ commitment to Privacy

MYPOS PORTUGAL PAYMENT TECHNOLOGIES LDA is committed to proceeding the personal information of its contractors and provide them with the appropriate safeguards, rights and freedoms, as defined in the applicable legislation, including but not limited to the GDPR and the Law No. 58/2019.

MYPOS PORTUGAL PAYMENT TECHNOLOGIES LDA is continuously improving its data processing practices, policies and procedures. Our Privacy Notice aims to provide you with as much transparency over the way we handle your data as possible.

The present Privacy Notice describes how we collect, use, process, and disclose your information, including personal information, as well as your rights as a data subject, in relation to your contract with MYPOS PORTUGAL PAYMENT TECHNOLOGIES LDA.

1.1. About us

When this Notice mentions “MYPOS PORTUGAL PAYMENT TECHNOLOGIES LDA”, “we,” “us,” or “our,” it refers to Employer, registered under Company Number 515734446, having seat and registered address in Avenida da República, Nº 6 1º andar, 1050-191 Lisbon, Portugal. This company is responsible for your information under the present Privacy Notice.

1.2. Who is this Privacy Notice for?

The present document outlines the data processing activities which MYPOS PORTUGAL PAYMENT TECHNOLOGIES LDA carries out with respect to its contractors. The present Privacy Notice is not intended for employees or job candidates, for which MYPOS PORTUGAL PAYMENT TECHNOLOGIES LDA has separate privacy notices. If you are unsure how or if this Privacy Notice applies to you, please contact your Human Resources representative at hr@mypos.com.

II. What data do we collect and process about you?

We collect and maintain different types of personal information about you in accordance with applicable law. Please be aware that any data that is collected under grounds such as legal obligations; or contractual requirement; or a requirement necessary to enter into a contract, is necessary to be processed by us in order to achieve these purposes and we would not be able to maintain adequate legal relationships with you in case you do not provide us with said data. Here is a breakdown of the types of data that we collect directly from you, the legal grounds for the processing and the general types of third-parties that we may share these types of data with.

III. Specific data processing.

In any case, we may share any of your information for specific reasons, outlined below:

1. Sharing data other members of the MYPOS PORTUGAL PAYMENT TECHNOLOGIES LDA corporate family: We may share your Personal Data with members of the corporate family of MYPOS PORTUGAL PAYMENT TECHNOLOGIES LDA or within our extended family of companies that are related by common ownership or control, so that we may provide the Services you have requested or authorized or to manage the risk, or to help detect and prevent potentially illegal and fraudulent acts and other violations of our policies and agreements.

2. Aggregated Data. We may also share aggregated information (information about our users that we combine together so that it no longer identifies or references an individual user) and other anonymized information for regulatory compliance, industry and market analysis, demographic profiling and other business purposes.

3. With our legal counsels for the purposes of protecting our legal rights. We may share any information which is necessary to protect our legal rights to legal counsels or similar parties.

4. Business Transfers. If any of the MYPOS PORTUGAL PAYMENT TECHNOLOGIES LDA holding companies or MYPOS PORTUGAL PAYMENT TECHNOLOGIES LDA itself is involved in any merger, acquisition, reorganization, sale of assets, bankruptcy, or insolvency event, then we may sell, transfer or share some or all of our assets, including your information in connection with such transaction or in contemplation of such transaction (e.g., due diligence). In this event, we will notify you before your personal information is transferred to a different legal person and/or becomes subject to a different Privacy Notice.

IV. Data Retention and Erasure.

We generally retain your personal information for as long as is necessary for the performance of the contract between you and us and to comply with our regulatory obligations. Generally, we continue to keep your information in an identifiable way for a period of 3 (three) years after the termination of your contract, unless any specific laws oblige us to keep your personal information for a longer period. Please note that if you request the erasure of your personal information:

• We may retain some of your personal information as necessary for our legitimate interests or in case the information would be required in cases where we need to investigate and respond to claims against us.
• We may retain and use your personal information to the extent necessary to comply with our legal obligations. For example, MYPOS PORTUGAL PAYMENT TECHNOLOGIES LDA may keep some of your information for social security, employee protection and safety, tax, legal reporting and auditing obligations.
• Because we maintain our records in a manner protecting from accidental or malicious loss and destruction, residual copies of your personal information may not be removed from our backup systems for a limited period of time, until these backups are destroyed.

V. Your rights.

You may exercise any of the rights described in this section before MYPOS PORTUGAL PAYMENT TECHNOLOGIES LDA by sending a written request to dpo@mypos.com. Please note that upon receipt of your e-mail we shall try our best to provide you with the requested information and resolve your request in reasonable time, subject to all obligations which we or the related companies have under the applicable laws.

5.1. Managing Your Information.

You have the right to obtain the following:

• confirmation of whether and where we are processing your personal data;
• information about the purposes of the processing;
• information about the categories of data being processed;
• information about the categories of recipients with whom the data may be shared;
• information about the period for which the data will be stored (or the criteria used to determine that period);
• information about the existence of the rights to erasure, to rectification, to restriction of processing and to object to processing;
• information about the existence of the right to complain to any Regulator;
• where the data was not collected from you, information as to the source of the data; and
• information about the existence of, and an explanation of the logic involved in, any automated processing.
• Additionally, you may request a copy of the personal data being processed.

5.2. Rectification of Inaccurate or Incomplete Information.

You have the right to ask us to correct inaccurate or incomplete personal information concerning you

5.3. Data Access and Portability.

You have the right to:

• receive a copy of your personal data in a structured, commonly used, machine-readable format that supports re-use;
• transfer your personal data from one controller to another;
• store your personal data for further personal use on a private device; and
• have your personal data transmitted directly between controllers without hindrance.

In some jurisdictions, applicable law may entitle you to request copies of your personal information held by us.

5.4. Withdrawing Consent and Restriction of Processing.

Where you have provided your consent to the processing of your personal information by us you may withdraw your consent at any time by sending a communication to us specifying which consent you are withdrawing. Please note that the withdrawal of your consent does not affect the lawfulness of any processing activities based on such consent before its withdrawal.

5.5. Objection to Processing.

In some jurisdictions, applicable law may entitle you to require us not to process your personal information for certain specific purposes in case you object, where such processing is based on legitimate interest. If you object to such processing we will no longer process your personal information for these purposes unless we can demonstrate compelling legitimate grounds for such processing or such processing is required for the establishment, exercise or defence of legal claims.

5.6. How do I complain?

You should in first place try to resolve the matter by sending an e-mail to dpo@mypos.com under this Privacy Notice. In case you wish to bring your complaint further, you may escalate it to the following authority:

Portugal – Comissão Nacional de Proteção de Dados

Av. D. Carlos I, 134, 1º
1200-651 Lisboa

VI.Operating globally.

To facilitate our global operations, we may be required to transfer, store, and process your information within our family of companies or with service providers based in Europe and North and South America. Because personal data protection laws may differ in these countries, where we transfer store and process your personal information outside of the UK or EEA we have ensured that appropriate safeguards are in place to ensure an adequate level of data protection.

VII. International transfers.

7.1. Adequacy Decisions.

Where we disclose any of your collected personal information outside EEA, we shall comply with any relevant adequacy decision, where possible.

7.2. Other Means to Ensure an Adequate Level of Data Protection.

In case personal information is shared with corporate affiliates or third-party service providers outside the EEA in absence of an adequacy decision, we have - prior to sharing your information with such corporate affiliate or third-party service provider – established the necessary means to ensure an adequate level of data protection and a valid legal ground under the applicable data transfer rules. We will provide further information on the means to ensure an adequate level of data protection on request. This includes transfers from the EEA to the US.

Protection of personal data transferred from or to the United Kingdom of Great Britain and Northern Ireland:

MYPOS PORTUGAL PAYMENT TECHNOLOGIES LDA is a part of a global group of companies, with operations in the USA, UK and across EEA. Where we transfer any of your collected personal data from or to UK we shall comply with the Decision on the adequate protection of personal data by the United Kingdom - General Data Protection Regulation, dated 28 June 2021.

VIII. Security.

We take the responsibility to ensure that your personal information is secure. To prevent unauthorized access or disclosure of information we maintain physical, electronic and procedural safeguards that comply with applicable regulations to guard non-public personal information.

If you know or have reason to believe that any of your information has been lost, stolen, misappropriated, or otherwise compromised, please contact us following the instructions in the Contact section below.

IX.Changes to this Privacy Notice.

We reserve the right to modify this Privacy Notice at any time in accordance with this provision. If we make changes to this Privacy Notice, we will send you the revised Privacy Notice via email.

X. Contact.

If you have any questions or complaints about this Privacy Notice or our information handling practices, you send us an email at dpo@mypos.com.

MYPOS EXPERIENCE CENTER RO S.R.L Candidate Privacy Notice

Effective as of: November 2022

Last update: November 2022

I. MYPOS EXPERIENCE CENTER RO S.R.L’ commitment to Privacy

MYPOS EXPERIENCE CENTER RO S.R.L is committed to proceeding the personal information of its contractors and provide them with the appropriate safeguards, rights and freedoms, as defined in the applicable legislation, including but not limited to the GDPR and the Law, published in the Official Gazette No. 651 of 26 July 2018.

MYPOS EXPERIENCE CENTER RO S.R.L is continuously improving its data processing practices, policies and procedures. Our Privacy Notice aims to provide you with as much transparency over the way we handle your data as possible.

The present Privacy Notice describes how we collect, use, process, and disclose your information, including personal information, as well as your rights as a data subject, in relation to your contract with MYPOS EXPERIENCE CENTER RO S.R.L.

1.1. About us

When this Notice mentions “MYPOS EXPERIENCE CENTER RO S.R.L”, “we,” “us,” or “our,” it refers to Employer, registered under Company Number J140/13218/2019, having seat and registered address in CALEA VICTORIEI NR 155, Sector 1, Bucuresti, Romania. This company is responsible for your information under the present Privacy Notice.

1.2. Who is this Privacy Notice for?

The present document outlines the data processing activities which MYPOS EXPERIENCE CENTER RO S.R.L carries out with respect to its contractors. The present Privacy Notice is not intended for employees or job candidates, for which MYPOS EXPERIENCE CENTER RO S.R.L has separate privacy notices. If you are unsure how or if this Privacy Notice applies to you, please contact your Human Resources representative at hr@mypos.com.

II. What data do we collect and process about you?

We collect and maintain different types of personal information about you in accordance with applicable law. Please be aware that any data that is collected under grounds such as legal obligations; or contractual requirement; or a requirement necessary to enter into a contract, is necessary to be processed by us in order to achieve these purposes and we would not be able to maintain adequate legal relationships with you in case you do not provide us with said data. Here is a breakdown of the types of data that we collect directly from you, the legal grounds for the processing and the general types of third-parties that we may share these types of data with.

III. Specific data processing.

In any case, we may share any of your information for specific reasons, outlined below:

1. Sharing data other members of the MYPOS EXPERIENCE CENTER RO S.R.L corporate family: We may share your Personal Data with members of the corporate family of MYPOS EXPERIENCE CENTER RO S.R.L or within our extended family of companies that are related by common ownership or control, so that we may provide the Services you have requested or authorized or to manage the risk, or to help detect and prevent potentially illegal and fraudulent acts and other violations of our policies and agreements.

2. Aggregated Data. We may also share aggregated information (information about our users that we combine together so that it no longer identifies or references an individual user) and other anonymized information for regulatory compliance, industry and market analysis, demographic profiling and other business purposes.

3. With our legal counsels for the purposes of protecting our legal rights. We may share any information which is necessary to protect our legal rights to legal counsels or similar parties.

4. Business Transfers. If any of the MYPOS EXPERIENCE CENTER RO S.R.L holding companies or MYPOS EXPERIENCE CENTER RO S.R.L itself is involved in any merger, acquisition, reorganization, sale of assets, bankruptcy, or insolvency event, then we may sell, transfer or share some or all of our assets, including your information in connection with such transaction or in contemplation of such transaction (e.g., due diligence). In this event, we will notify you before your personal information is transferred to a different legal person and/or becomes subject to a different Privacy Notice.

IV. Data Retention and Erasure.

We generally retain your personal information for as long as is necessary for the performance of the contract between you and us and to comply with our regulatory obligations. Generally, we continue to keep your information in an identifiable way for a period of 3 (three) years after the termination of your contract, unless any specific laws oblige us to keep your personal information for a longer period. Please note that if you request the erasure of your personal information:

• We may retain some of your personal information as necessary for our legitimate interests or in case the information would be required in cases where we need to investigate and respond to claims against us.
• We may retain and use your personal information to the extent necessary to comply with our legal obligations. For example, MYPOS EXPERIENCE CENTER RO S.R.L may keep some of your information for social security, employee protection and safety, tax, legal reporting and auditing obligations.
• Because we maintain our records in a manner protecting from accidental or malicious loss and destruction, residual copies of your personal information may not be removed from our backup systems for a limited period of time, until these backups are destroyed.

V. Your rights.

You may exercise any of the rights described in this section before MYPOS EXPERIENCE CENTER RO S.R.L by sending a written request to dpo@mypos.com. Please note that upon receipt of your e-mail we shall try our best to provide you with the requested information and resolve your request in reasonable time, subject to all obligations which we or the related companies have under the applicable laws.

5.1. Managing Your Information.

You have the right to obtain the following:

• confirmation of whether and where we are processing your personal data;
• information about the purposes of the processing;
• information about the categories of data being processed;
• information about the categories of recipients with whom the data may be shared;
• information about the period for which the data will be stored (or the criteria used to determine that period);
• information about the existence of the rights to erasure, to rectification, to restriction of processing and to object to processing;
• information about the existence of the right to complain to any Regulator;
• where the data was not collected from you, information as to the source of the data; and
• information about the existence of, and an explanation of the logic involved in, any automated processing.
• Additionally, you may request a copy of the personal data being processed.

5.2. Rectification of Inaccurate or Incomplete Information.

You have the right to ask us to correct inaccurate or incomplete personal information concerning you

5.3. Data Access and Portability.

You have the right to:

• receive a copy of your personal data in a structured, commonly used, machine-readable format that supports re-use;
• transfer your personal data from one controller to another;
• store your personal data for further personal use on a private device; and
• have your personal data transmitted directly between controllers without hindrance.

In some jurisdictions, applicable law may entitle you to request copies of your personal information held by us.

5.4. Withdrawing Consent and Restriction of Processing.

Where you have provided your consent to the processing of your personal information by us you may withdraw your consent at any time by sending a communication to us specifying which consent you are withdrawing. Please note that the withdrawal of your consent does not affect the lawfulness of any processing activities based on such consent before its withdrawal.

5.5. Objection to Processing.

In some jurisdictions, applicable law may entitle you to require us not to process your personal information for certain specific purposes in case you object, where such processing is based on legitimate interest. If you object to such processing we will no longer process your personal information for these purposes unless we can demonstrate compelling legitimate grounds for such processing or such processing is required for the establishment, exercise or defence of legal claims.

5.6. How do I complain?

You should in first place try to resolve the matter by sending an e-mail to dpo@mypos.com under this Privacy Notice. In case you wish to bring your complaint further, you may escalate it to the following authority:

National Supervisory Authority for Personal Data Processing ('ANSPDCP')

G-ral Blvd. Gheorghe Magheru 28-30
Sector 1, postal code 010336
Bucharest, Romania
anspdcp@dataprotection.ro

VI.Operating globally.

To facilitate our global operations, we may be required to transfer, store, and process your information within our family of companies or with service providers based in Europe and North and South America. Because personal data protection laws may differ in these countries, where we transfer store and process your personal information outside of the UK or EEA we have ensured that appropriate safeguards are in place to ensure an adequate level of data protection.

VII. International transfers.

7.1. Adequacy Decisions.

Where we disclose any of your collected personal information outside EEA, we shall comply with any relevant adequacy decision, where possible.

7.2. Other Means to Ensure an Adequate Level of Data Protection.

In case personal information is shared with corporate affiliates or third-party service providers outside the EEA in absence of an adequacy decision, we have - prior to sharing your information with such corporate affiliate or third-party service provider – established the necessary means to ensure an adequate level of data protection and a valid legal ground under the applicable data transfer rules. We will provide further information on the means to ensure an adequate level of data protection on request. This includes transfers from the EEA to the US.

Protection of personal data transferred from or to the United Kingdom of Great Britain and Northern Ireland:

MYPOS EXPERIENCE CENTER RO S.R.L is a part of a global group of companies, with operations in the USA, UK and across EEA. Where we transfer any of your collected personal data from or to UK we shall comply with the Decision on the adequate protection of personal data by the United Kingdom - General Data Protection Regulation, dated 28 June 2021.

VIII. Security.

We take the responsibility to ensure that your personal information is secure. To prevent unauthorized access or disclosure of information we maintain physical, electronic and procedural safeguards that comply with applicable regulations to guard non-public personal information.

If you know or have reason to believe that any of your information has been lost, stolen, misappropriated, or otherwise compromised, please contact us following the instructions in the Contact section below.

IX.Changes to this Privacy Notice.

We reserve the right to modify this Privacy Notice at any time in accordance with this provision. If we make changes to this Privacy Notice, we will send you the revised Privacy Notice via email.

X. Contact.

If you have any questions or complaints about this Privacy Notice or our information handling practices, you send us an email at dpo@mypos.com.

MYPOS GB LTD Candidate Privacy Notice

Effective as of: November 2022

Last update: November 2022

I. MYPOS GB LTD’ commitment to Privacy

MYPOS GB LTD is committed to proceeding the personal information of its contractors and provide them with the appropriate safeguards, rights and freedoms, as defined in the applicable legislation, including but not limited to the GDPR and Data Protection Act 2018.

MYPOS GB LTD is continuously improving its data processing practices, policies and procedures. Our Privacy Notice aims to provide you with as much transparency over the way we handle your data as possible.

The present Privacy Notice describes how we collect, use, process, and disclose your information, including personal information, as well as your rights as a data subject, in relation to your contract with MYPOS GB LTD.

1.1. About us

When this Notice mentions “MYPOS GB LTD”, “we,” “us,” or “our,” it refers to Employer, registered under Company Number 12138232, having seat and registered address in Dunne & Waterman Hamilton House, 1 Temple Avenue, London, England. This company is responsible for your information under the present Privacy Notice.

1.2. Who is this Privacy Notice for?

The present document outlines the data processing activities which MYPOS GB LTD carries out with respect to its contractors. The present Privacy Notice is not intended for employees or job candidates, for which MYPOS GB LTD has separate privacy notices. If you are unsure how or if this Privacy Notice applies to you, please contact your Human Resources representative at hr@mypos.com.

II. What data do we collect and process about you?

We collect and maintain different types of personal information about you in accordance with applicable law. Please be aware that any data that is collected under grounds such as legal obligations; or contractual requirement; or a requirement necessary to enter into a contract, is necessary to be processed by us in order to achieve these purposes and we would not be able to maintain adequate legal relationships with you in case you do not provide us with said data. Here is a breakdown of the types of data that we collect directly from you, the legal grounds for the processing and the general types of third-parties that we may share these types of data with.

III. Specific data processing.

In any case, we may share any of your information for specific reasons, outlined below:

1. Sharing data other members of the MYPOS GB LTD corporate family: We may share your Personal Data with members of the corporate family of MYPOS GB LTD or within our extended family of companies that are related by common ownership or control, so that we may provide the Services you have requested or authorized or to manage the risk, or to help detect and prevent potentially illegal and fraudulent acts and other violations of our policies and agreements.

2. Aggregated Data. We may also share aggregated information (information about our users that we combine together so that it no longer identifies or references an individual user) and other anonymized information for regulatory compliance, industry and market analysis, demographic profiling and other business purposes.

3. With our legal counsels for the purposes of protecting our legal rights. We may share any information which is necessary to protect our legal rights to legal counsels or similar parties.

4. Business Transfers. If any of the MYPOS GB LTD holding companies or MYPOS GB LTD itself is involved in any merger, acquisition, reorganization, sale of assets, bankruptcy, or insolvency event, then we may sell, transfer or share some or all of our assets, including your information in connection with such transaction or in contemplation of such transaction (e.g., due diligence). In this event, we will notify you before your personal information is transferred to a different legal person and/or becomes subject to a different Privacy Notice.

IV. Data Retention and Erasure.

We generally retain your personal information for as long as is necessary for the performance of the contract between you and us and to comply with our regulatory obligations. Generally, we continue to keep your information in an identifiable way for a period of 3 (three) years after the termination of your contract, unless any specific laws oblige us to keep your personal information for a longer period. Please note that if you request the erasure of your personal information:

• We may retain some of your personal information as necessary for our legitimate interests or in case the information would be required in cases where we need to investigate and respond to claims against us.
• We may retain and use your personal information to the extent necessary to comply with our legal obligations. For example, MYPOS GB LTD may keep some of your information for social security, employee protection and safety, tax, legal reporting and auditing obligations.
• Because we maintain our records in a manner protecting from accidental or malicious loss and destruction, residual copies of your personal information may not be removed from our backup systems for a limited period of time, until these backups are destroyed.

V. Your rights.

You may exercise any of the rights described in this section before MYPOS GB LTD by sending a written request to dpo@mypos.com. Please note that upon receipt of your e-mail we shall try our best to provide you with the requested information and resolve your request in reasonable time, subject to all obligations which we or the related companies have under the applicable laws.

5.1. Managing Your Information.

You have the right to obtain the following:

• confirmation of whether and where we are processing your personal data;
• information about the purposes of the processing;
• information about the categories of data being processed;
• information about the categories of recipients with whom the data may be shared;
• information about the period for which the data will be stored (or the criteria used to determine that period);
• information about the existence of the rights to erasure, to rectification, to restriction of processing and to object to processing;
• information about the existence of the right to complain to any Regulator;
• where the data was not collected from you, information as to the source of the data; and
• information about the existence of, and an explanation of the logic involved in, any automated processing.
• Additionally, you may request a copy of the personal data being processed.

5.2. Rectification of Inaccurate or Incomplete Information.

You have the right to ask us to correct inaccurate or incomplete personal information concerning you

5.3. Data Access and Portability.

You have the right to:

• receive a copy of your personal data in a structured, commonly used, machine-readable format that supports re-use;
• transfer your personal data from one controller to another;
• store your personal data for further personal use on a private device; and
• have your personal data transmitted directly between controllers without hindrance.

In some jurisdictions, applicable law may entitle you to request copies of your personal information held by us.

5.4. Withdrawing Consent and Restriction of Processing.

Where you have provided your consent to the processing of your personal information by us you may withdraw your consent at any time by sending a communication to us specifying which consent you are withdrawing. Please note that the withdrawal of your consent does not affect the lawfulness of any processing activities based on such consent before its withdrawal.

5.5. Objection to Processing.

In some jurisdictions, applicable law may entitle you to require us not to process your personal information for certain specific purposes in case you object, where such processing is based on legitimate interest. If you object to such processing we will no longer process your personal information for these purposes unless we can demonstrate compelling legitimate grounds for such processing or such processing is required for the establishment, exercise or defence of legal claims.

5.6. How do I complain?

You should in first place try to resolve the matter by sending an e-mail to dpo@mypos.com under this Privacy Notice. In case you wish to bring your complaint further, you may escalate it to the following authority:

Information Commissioner’s Office:

Address:
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Telephone: 0303 123 1113

VI.Operating globally.

To facilitate our global operations, we may be required to transfer, store, and process your information within our family of companies or with service providers based in Europe and North and South America. Because personal data protection laws may differ in these countries, where we transfer store and process your personal information outside of the UK or EEA we have ensured that appropriate safeguards are in place to ensure an adequate level of data protection.

VII. International transfers.

7.1. Adequacy Decisions.

Where we disclose any of your collected personal information outside EEA, we shall comply with any relevant adequacy decision, where possible.

7.2. Other Means to Ensure an Adequate Level of Data Protection.

In case personal information is shared with corporate affiliates or third-party service providers outside the EEA in absence of an adequacy decision, we have - prior to sharing your information with such corporate affiliate or third-party service provider – established the necessary means to ensure an adequate level of data protection and a valid legal ground under the applicable data transfer rules. We will provide further information on the means to ensure an adequate level of data protection on request. This includes transfers from the EEA to the US.

Protection of personal data transferred from or to the United Kingdom of Great Britain and Northern Ireland:

MYPOS GB LTD is a part of a global group of companies, with operations in the USA, UK and across EEA. Where we transfer any of your collected personal data from or to UK we shall comply with the Decision on the adequate protection of personal data by the United Kingdom - General Data Protection Regulation, dated 28 June 2021.

VIII. Security.

We take the responsibility to ensure that your personal information is secure. To prevent unauthorized access or disclosure of information we maintain physical, electronic and procedural safeguards that comply with applicable regulations to guard non-public personal information.

If you know or have reason to believe that any of your information has been lost, stolen, misappropriated, or otherwise compromised, please contact us following the instructions in the Contact section below.

IX.Changes to this Privacy Notice.

We reserve the right to modify this Privacy Notice at any time in accordance with this provision. If we make changes to this Privacy Notice, we will send you the revised Privacy Notice via email.

X. Contact.

If you have any questions or complaints about this Privacy Notice or our information handling practices, you send us an email at dpo@mypos.com.