Privacy Policy

We, Finiqua Finance Ltd, together with our subsidiaries (hereinafter jointly referred to as “the company”, “we” or “us”) take the protection of your personal data seriously and would like to take this opportunity to inform you about data protection in our company, including the following brands : Kindlyn & Triple8. Finance

As part of our responsibility under data protection law, additional obligations have been imposed on us by the entry into force of the EU General Data Protection Regulation (Regulation (EU) 2016/679; hereinafter: “GDPR“) in order to ensure the protection of personal data of the person affected by processing (we also refer to you as the data subject hereinafter as “customer”, “user”, “you”, “you” or “data subject”).

Insofar as we decide either alone or jointly with others on the purposes and means of data processing, this includes above all the obligation to inform you transparently about the type, scope, purpose, duration and legal basis of the processing (cf. Art. 13 and 14 GDPR). With this declaration (hereinafter: “data protection information”) we inform you about the way in which your personal data is processed by us.

Our data protection information has a modular structure. They consist of a general section for all processing of personal data and processing situations that apply each time a website is accessed (A. General) and a special section, the content of which relates only to the processing situation specified there with the designation of the respective offer or product, in particular the visit to websites described in more detail here (B. Visit to websites).

A. General information

(1) Definitions

Following the example of Art. 4 GDPR, this data protection notice is based on the following definitions:

-“Personal data” (Art. 4 No. 1 GDPR) means any information relating to an identified or identifiable natural person (“data subject”). A person is identifiable if they can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier, location data or information relating to their physical, physiological, genetic, mental, economic, cultural or social identity. Identifiability can also be achieved by linking such information or other additional knowledge. The origin, form or embodiment of the information is irrelevant (photos, video or audio recordings can also contain personal data).

-Processing” (Art. 4 No. 2 GDPR) means any operation which is performed on personal data, whether or not by automated means (i.e. using technical specifications). This includes, in particular, the collection (i.e. acquisition), recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data, or alteration of the purposes for which they were originally processed.

-Controller” (Art. 4 No. 7 GDPR) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

-A “third party” (Art. 4 No. 10 GDPR) is any natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or processor, are authorised to process the personal data; this also includes other legal entities belonging to the group.

-A “processor” (Art. 4 No. 8 GDPR) is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller, in particular in accordance with the controller’s instructions (e.g. IT service provider). In terms of data protection law, a processor is in particular not a third party.

-Consent” (Art. 4 No. 11 GDPR) of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

(2) Name and address of the controller

We are the controller responsible for the processing of your personal data within the meaning of Art. 4 No. 7 GDPR:

Finiqua Finance Ltd

2850 Shaughnessy Street

Unit 2300

Port Coquitlam Bc V3c 6k5

Canada

e-mail: [email protected]

For further information about our company, please refer to the legal notice on our website https://kindlyn.com/legal-notice/.

(2a) Data protection representative in the EU and data protection officer

We have appointed a data protection officer for our company. This person also acts as our data protection representative in the EU. You can reach him at:

SBS DATA PROTECT GmbH

by the Managing Director Mr Thilo Noack

Hans-Henny-Jahnn-Weg 49, DE-22085 Hamburg

E-mail: [email protected]

(3) Legal basis for data processing

In principle, any processing of personal data is prohibited by law and is only permitted if the data processing falls under one of the following justifications:

• Art. 6 para. 1 sentence 1 lit. a GDPR (“consent”): If the data subject has voluntarily, in an informed and unambiguous manner, by means of a statement or other unambiguous affirmative act, indicated that they consent to the processing of personal data concerning them for one or more specific purposes;
• Art. 6 para. 1 sentence 1 lit. b GDPR: If the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
• Art. 6 para. 1 sentence 1 lit. c GDPR: If processing is necessary for compliance with a legal obligation to which the controller is subject (e.g. a legal obligation to retain data);
• Art. 6 para. 1 sentence 1 lit. d GDPR: If processing is necessary in order to protect the vital interests of the data subject or another natural person;
• Art. 6 para. 1 sentence 1 lit. e GDPR: If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or
• Art. 6 para. 1 sentence 1 lit. f GDPR (“Legitimate interests”): If the processing is necessary for the purposes of the legitimate (in particular legal or economic) interests pursued by the controller or by a third party, except where such interests are overridden by the interests or rights of the data subject (in particular where the data subject is a minor).

For the processing operations we carry out, we indicate the applicable legal basis in each case below. Processing can also be based on several legal bases.

(4) Data retention period and erasure

For the processing operations carried out by us, we indicate below how long the data is stored by us and when it is deleted or blocked. Unless an explicit retention period is specified below, your personal data will be deleted or blocked as soon as the purpose or legal basis for storage no longer applies. Your data will only be stored on our servers in Germany, subject to any disclosure in accordance with the provisions in A.(6) and A.(7).

However, data may be stored beyond the specified retention period in the event of an (impending) legal dispute with you or other legal proceedings or if storage is provided for by legal regulations to which we as the controller are subject. If the storage period prescribed by the statutory provisions expires, the personal data will be blocked or deleted unless further storage by us is necessary and there is a legal basis for this. Retention Periods: – Log data: 7 days

– Contact form data: 3 years after processing

– Cookie data: Depending on type (session/13 months)

– Marketing data: 24 months or until revoked

(5) Data security

We use suitable technical and organisational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorised access by third parties (e.g. TLS encryption for our website), taking into account the state of the art, the implementation costs and the nature, scope, context and purpose of the processing as well as the existing risks of a data breach (including its probability and effects) for the data subject. Our security measures are continuously improved in line with technological developments.

(6) Cooperation with processors

As with any large company, we also use external domestic and foreign service providers to process our business transactions (e.g. for IT, logistics, telecommunications, sales and marketing). These service providers only act in accordance with our instructions and are contractually obliged to comply with data protection regulations in accordance with Art. 28 GDPR.

If your personal data is passed on by us to our subsidiaries or is passed on to us by our subsidiaries (e.g. for advertising purposes), this is done on the basis of existing order processing relationships.

(7) Requirements for the transfer of personal data to third countries

As part of our business relationships, your personal data may be passed on or disclosed to third-party companies. These may also be located outside the European Economic Area (EEA), i.e. in third countries. Such processing takes place exclusively to fulfil contractual and business obligations and to maintain your business relationship with us (legal basis is Art. 6 para. 1 lit. b or lit. f in each case in conjunction with Art. 44 et seq. GDPR). We will inform you about the respective details of the transfer at the relevant points below.

The European Commission certifies that some third countries have a level of data protection comparable to the EEA standard by means of so-called adequacy decisions (a list of these countries and a copy of the adequacy decisions can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en) . In other third countries to which personal data may be transferred, however, there may not be a consistently high level of data protection due to a lack of legal provisions. If this is the case, we ensure that data protection is adequately guaranteed. This is possible via binding corporate rules, standard contractual clauses of the European Commission for the protection of personal data in accordance with Art. 46 para. 1, 2 lit. c GDPR, certificates or recognised codes of conduct.

(8) No automated decision-making (including profiling)

We do not intend to use personal data collected from you for automated decision-making (including profiling).

(9) No obligation to provide personal data

We do not make the conclusion of contracts with us dependent on you providing us with personal data beforehand. As a customer, you are under no legal or contractual obligation to provide us with your personal data; however, we may only be able to provide certain services to a limited extent or not at all if you do not provide the necessary data. If this should exceptionally be the case in the context of the products presented below and offered by us, you will be informed of this separately.

(10) Legal obligation to transmit certain data

We may be subject to a special legal or statutory obligation to provide the lawfully processed personal data to third parties, in particular public authorities (Art. 6 para. 1 sentence 1 lit. c GDPR).

(11) Your rights

You can assert your rights as a data subject with regard to your processed personal data at any time by contacting us using the contact details provided at the beginning under A.(2). As the data subject, you have the right to

• In accordance with Art. 15 GDPR, you have the right to request information about your data processed by us. In particular, you can request information about the purposes of processing, the category of data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of appeal, the origin of your data if it was not collected by us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information on its details;
• In accordance with Art. 16 GDPR, you have the right to demand the immediate correction of incorrect data or the completion of your data stored by us;
• In accordance with Art. 17 GDPR, you have the right to demand the deletion of your data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for the fulfilment of a legal obligation, for reasons of public interest or for the assertion, exercise or defence of legal claims;
• to demand the restriction of the processing of your data in accordance with Art. 18 GDPR, insofar as the accuracy of the data is disputed by you or the processing is unlawful;
• In accordance with Art. 20 GDPR, you have the right to receive your data that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transmitted to another controller (“data portability”);
• In accordance with Art. 21 GDPR, you have the right to object to the processing if the processing is based on Art. 6 para. 1 sentence 1 lit. e or lit. f GDPR. This is particularly the case if the processing is not necessary for the fulfilment of a contract with you. If it is not an objection to direct advertising, we ask you to explain the reasons why we should not process your data as we have done when exercising such an objection. In the event of your justified objection, we will examine the situation and either discontinue or adapt the data processing or point out to you our compelling reasons worthy of protection on the basis of which we will continue the processing;
• In accordance with Art. 7 para. 3 GDPR, you have the right to withdraw your consent once given to us (even before the GDPR came into force, i.e. before 25 May 2018) – i.e. your voluntary, informed and unequivocal consent to the processing of the personal data concerned for one or more specific purposes, if you have given such consent – at any time by means of a declaration or other unambiguous confirmatory act. The consequence of this is that we may no longer continue the data processing based on this consent in the future and
• In accordance with Art. 77 GDPR, you have the right to complain to a data protection supervisory authority about the processing of your personal data in our company. A list of the German data protection supervisory authorities and their contact details can be found at the following link: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.

(12) Changes to the data protection information

As part of the ongoing development of data protection law and technological or organisational changes, our data protection information is regularly reviewed to determine whether it needs to be amended or supplemented. You will be informed of any changes, in particular on our website.

B. Visiting our website

(1) Explanation of the function

Information about our company and the services we offer can be found in particular at https://kindlyn.com/ together with the associated subpages (hereinafter jointly referred to as “websites”). When you visit our websites, your personal data may be processed.

(2) Processed personal data

We collect, store and process the following categories of personal data when you use the website for information purposes:

“Log data”: When you visit our websites, a so-called log data record (so-called server log files) is stored temporarily and anonymised on our web server. This consists of:

• the page from which the page was requested (so-called referrer URL)
• the name and URL of the requested page
• the date and time of the call
• Description of the type, language and version of the web browser used
• the IP address of the requesting computer, which is shortened in such a way that a personal reference can no longer be established
• the amount of data transferred
• the operating system
• the message whether the call was successful (access status/Http status code)
• the GMT time zone difference

“Contact form data”: When contact forms are used, the data transmitted through them is processed (e.g. gender, surname and first name, address, company, email address and the time of transmission).

(3) Purpose and legal basis of data processing

We process the personal data specified above in accordance with the provisions of the GDPR, the other relevant data protection regulations and only to the extent necessary. Insofar as the processing of personal data is based on Art. 6 para. 1 sentence 1 lit. f GDPR, the purposes mentioned also represent our legitimate interests.

The processing of log data serves statistical purposes and to improve the quality of our website, in particular the stability and security of the connection (legal basis is Art. 6 para. 1 sentence 1 lit. a or lit. f GDPR).

The processing of contact form data is carried out to process customer enquiries (legal basis is Art. 6 para. 1 sentence 1 lit. b GDPR).

(4) Data Processing Retention Periods

Your data will only be processed for as long as is necessary to fulfil the above-mentioned processing purposes; the legal basis specified in the context of the processing purposes apply accordingly. Regarding the use and storage duration of cookies, please refer to point A.(4).

Third parties engaged by us will store your data on their system for as long as is necessary in connection with the provision of the services, in accordance with the respective order.

You can find more details on the retention periods under A.(4).

(5) Transfer of personal data to third parties; basis for justification

The following categories of recipients, which are usually processors (see A.(6)), may have access to your personal data:

• We use data processing service providers for the operation of our website and the processing of data stored or transmitted by the systems (e.g. for data centre services, payment processing, IT security). The legal basis for the transfer is then Art. 6 para. 1 sentence 1 lit. b or lit. f GDPR, insofar as these are not processors;
• Government bodies/authorities, insofar as this is necessary to fulfil a legal obligation. The legal basis for the transfer is then Art. 6 para. 1 sentence 1 lit. c GDPR;
• Persons engaged to carry out our business operations (e.g. auditors, banks, insurance companies, legal advisors, supervisory authorities, parties involved in company acquisitions or the establishment of joint ventures). The legal basis for the disclosure is then Art. 6 para. 1 sentence 1 lit. b or lit. f GDPR.

For guarantees of an adequate level of data protection when data is transferred to third countries, see A.(7).

In addition, we will only pass on your personal data to third parties if you have given your express consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.

(6) Use of cookies, plugins and other services on our website

a) Cookie

We use cookies on our websites. Cookies are small text files that are assigned to the browser you are using and stored on your hard drive by means of a characteristic character string and through which certain information flows to the location that sets the cookie. Cookies cannot execute programs or transfer viruses to your computer and therefore cannot cause any damage. They serve to make the website more user-friendly and effective overall, i.e. more pleasant for you.

Cookies can contain data that makes it possible to recognise the device used. In some cases, however, cookies only contain information on certain settings that are not personally identifiable. However, cookies cannot directly identify a user.

A distinction is made between session cookies, which are deleted as soon as you close your browser, and permanent cookies, which are stored beyond the individual session. In terms of their function, a distinction is made between cookies:

• Technical cookies: These are strictly necessary to move around the website, use basic functions and ensure the security of the website; they do not collect information about you for marketing purposes or store which websites you have visited;
• Performance cookies: These collect information about how you use our website, which pages you visit and, for example, whether errors occur when using the website; they do not collect any information that could identify you – all information collected is anonymous and is only used to improve our website and to find out what interests our users;
• Advertising cookies, targeting cookies: These are used to offer the website user customised advertising on the website or offers from third parties and to measure the effectiveness of these offers; advertising and targeting cookies are stored for a maximum of 13 months;
• Sharing cookies: These are used to improve the interactivity of our website with other services (e.g. social networks); sharing cookies are stored for a maximum of 13 months.

The legal basis for cookies that are absolutely necessary to provide you with the expressly requested service is Art. 6 para. 1 sentence 1 lit. b GDPR. Any use of cookies that is not absolutely technically necessary for this purpose constitutes data processing that is only permitted with your express and active consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR. This applies in particular to the use of performance, advertising, targeting or sharing cookies. In addition, we only pass on your personal data processed by cookies to third parties if you have given your express consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR.

b) Contact form

If you send us enquiries via the contact form, your message/message (comment), including the contact details you provide there, will be stored and processed by us for the purpose of processing and answering the enquiry and in the event of follow-up questions. We will not pass this data on to third parties unless this is necessary in the context of processing and responding to your contact enquiry or you have given us your consent to do so. If you contact us as part of an existing contractual relationship or contact us in advance for information about our range of services or our other services, the data and information you provide will be processed for the purpose of processing and responding to your contact enquiry in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR (legal basis).

The data you enter in the contact form will remain with us until the purpose for data storage/processing no longer applies (e.g. after your enquiry has been processed). Mandatory statutory provisions – in particular retention periods – remain unaffected.

c) Google Analytics

This website uses the functions of Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, on the basis of the consent you have given us (Art. 6 para. 1 sentence 1 lit. a GDPR). You can give us your consent voluntarily by clicking on the corresponding button in the “cookie banner” when you visit our website. As part of the processing described below, data is also regularly transmitted to Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). Google Ireland Limited and Google LLC are hereinafter jointly referred to as “Google”. Google Analytics uses cookies (first-party cookies) that enable your use of the website to be analysed. However, this does not mean that we obtain direct knowledge of your identity. Google uses the information generated by the cookies on our behalf to analyse the use of the website, to compile reports on website activity and to provide us with other services relating to website activity and internet usage. This enables us to improve the quality of our website and its content. Based on statistical analyses, we learn how the website is used and can thus constantly optimise our offering.

The information generated by Google Analytics cookies about your use of this website (e.g. time, place and frequency of your website visit including IP address) is transmitted to a Google server in the USA and stored there. We have set the storage period at Google for corresponding data at user and event level to 14 months (shortest possible setting option).

IP anonymisation

We have activated the IP anonymisation function on this website. As a result, your IP address will be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before transmission to the USA and thus anonymised. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. According to Google’s own information, the IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data relating to your person.

Browser plugin

You can prevent the storage of Google Analytics cookies by selecting the appropriate settings in your browser software (see above). You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by downloading and installing the browser plug-in available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en.

Objection to data collection

Alternatively, you can activate/deactivate the collection of your data by Google Analytics, especially on mobile devices, by clicking on the following link:

Deactivate Google Analytics

Deactivation sets a cookie that prevents the collection of your data on future visits to this website. Specifically, the following tracking cookies are used by Google Analytics:__utmz, __utma, __utmb, __utmc, __utmt. You can find more information on how Google Analytics handles user data and the security and data protection principles as well as setting and objection options in Google’s privacy policy, available via the following link https://support.google.com/analytics/answer/6004245?hl=en.

d) Google Ads and Google Ads conversion tracking

This website uses Google Ads. Google Ads is an online advertising program of Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

As part of Google Ads, we use what is known as conversion tracking. When you click on an advert placed by Google, a cookie is set for conversion tracking. Cookies are small text files that the Internet browser stores on the user’s computer. These cookies lose their validity after 30 days and are not used to personally identify the user. If the user visits certain pages of this website and the cookie has not yet expired, Google and we can recognise that the user clicked on the ad and was redirected to this page.

Each Google Ads customer receives a different cookie. The cookies cannot be tracked via the websites of Google Ads customers. The information collected using the conversion cookie is used to generate conversion statistics for Google Ads customers who have opted for conversion tracking. Customers are told the total number of users who clicked on their advert and were redirected to a page with a conversion tracking tag. However, they do not receive any information that can be used to personally identify users. If you do not wish to participate in tracking, you can object to this use by easily deactivating the Google Conversion Tracking cookie via your Internet browser under user settings. You will then not be included in the conversion tracking statistics.

The storage of “conversion cookies” and the use of this tracking tool are based on Art. 6 para. 1 sentence 1 lit. f GDPR. We have a legitimate interest in analysing user behaviour in order to optimise

both our website and our advertising. If a corresponding consent has been requested (e.g. consent to the storage of cookies), the processing is carried out exclusively on the basis of Art. 6 para. 1 sentence 1 lit. a GDPR; the consent can be revoked at any time.

You can find more information about Google Ads and Google Conversion Tracking in Google’s privacy policy: https://policies.google.com/privacy?hl=en.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of this website may be restricted.

(7) Social Media Engagement

Kindlyn & Triple8. Finance – Products of Finiqua – maintains official profiles on social media platforms, including Facebook, Instagram, and LinkedIn, to share updates, engage with the public, and promote our services. When you interact with us on these platforms—by following, commenting, liking, or messaging—we may receive limited personal data such as your username, profile information, or other details made publicly available. This processing is based on our legitimate interests in communication and brand visibility, in accordance with:

• EU GDPR – Article 6(1)(f),
• UK GDPR – Section 8,
• Swiss FADP – Articles 6 and 31, and
• Canada’s PIPEDA – Principles 3, 4, and 7.

Data Processing for Marketing and Customer Engagement

In accordance with Article 13 and 14 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”), Finiqua Finance provides the following information about our processing of personal data through third-party AI-based marketing and social media tools used to promote our brands Kindlyn and Triple8. Finance, engage with customers, and provide enhanced user experiences.

Linktree

Purpose: We use Linktree to create centralized landing pages that consolidate links to our various digital platforms, social media accounts, and promotional content for Kindlyn and Triple8. Finance. This enables users to easily access all our services from a single location.

Data Processing: Anonymous click tracking, No PII collected

Legal Basis: Legitimate interests (Article 6(1)(f) GDPR) – to promote our services and provide users with convenient access to our platforms. Our legitimate interest is based on our commercial need to effectively market our services and improve user experience. Where required, we may also rely on consent (Article 6(1)(a) GDPR) for specific tracking activities.

Data Location and International Transfers: Linktree processes and stores data in the United States. Under Article 44-49 GDPR, we ensure adequate protection for EU personal data through the EU-US Data Privacy Framework adequacy decision (Commission Implementing Decision (EU) 2023/1795) and Standard Contractual Clauses approved by the European Commission.

Data Processing Addendum (DPA): https://linktr.ee/s/data-processing-addendum

ManyChat

Purpose: We use ManyChat to create automated chatbots and messaging sequences on Instagram, to provide customer support, deliver promotional content, and engage with potential customers interested in Kindlyn and Triple8. Finance services.

Data Processing: Name, User ID, Profile photo, messaging history, interaction preferences, response patterns.

Use Context: Only user-initiated. Two response types are used:

• Generic Replies – Neutral auto-comments such as “Thanks for engaging! Full post is in bio.” No follow-up or targeting.
• Double Opt-In Messaging – A user comments on a post (e.g. “Comment ‘info’ for KYC guide”). They are sent a DM asking to confirm by replying “accept” or “decline”. Information is only sent if consent is explicitly given.

Legal Basis:

• Consent (Article 6(1)(a) GDPR) – for marketing communications and automated messaging, obtained through clear opt-in mechanisms
• Contract performance (Article 6(1)(b) GDPR) – for providing customer support services as part of our service delivery
• Legitimate interests (Article 6(1)(f) GDPR) – for improving our services and user experience, balanced against your fundamental rights and freedoms

Data Location and International Transfers: ManyChat processes data in the United States. In accordance with Chapter V GDPR (Articles 44-49), we have implemented Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and additional safeguards to ensure adequate protection for EU personal data transfers. Data Processing Addendum (DPA): https://manychat.com/legal/dpa

Path Social

Purpose: We use Path Social for audience engagement and performance analysis on Instagram to promote the Kindlyn and Triple8. Finance brands, manage our online presence and ultimately support eligibility for Meta verification.

Data Processing: Social media profiles, engagement metrics, campaign performance analytics.

Legal Basis: Legitimate interests (Article 6(1)(f) GDPR) – to promote our services, analyze marketing effectiveness, and maintain our brand presence on social media platforms. Our legitimate interest is based on our commercial need to effectively reach our target audience and measure campaign performance.

Data Location and International Transfers: Under Article 44-49 GDPR, we ensure adequate protection for EU personal data through the EU-US Data Privacy Framework adequacy decision (Commission Implementing Decision (EU) 2023/1795) Privacy Policy: https://www.pathsocial.com/legal/

Later

Purpose: We use Later for social media content scheduling, planning, and publishing across multiple platforms (Instagram, Facebook, LinkedIn) to maintain consistent brand messaging for Kindlyn and Triple8. Finance, optimize posting times, and manage our social media calendar. Collect analytics of Views, Likes and Engagement most popular times.

Data Processing: Scheduled content, posting analytics, audience engagement metrics, and performance data.

Legal Basis: Legitimate interests (Article 6(1)(f) GDPR) – to efficiently manage our social media presence, optimize content delivery, and maintain consistent brand communication. Our legitimate interest is based on our commercial need to maintain effective digital marketing operations.

Data Location and International Transfers: [To be confirmed with vendor – requires verification of data processing locations and transfer mechanisms under Articles 44-49 GDPR]

Privacy Policy: https://later.com/privacy

Data Processing Addendum (DPA): [DPA requested from Later should LinkedIn be used – SCC’s clause to be added]

Data Sharing and Third-Party Processing

In accordance with Article 28 GDPR, all the above-mentioned tools act as data processors on our behalf. We have established comprehensive Data Processing Agreements with each provider to ensure compliance with GDPR requirements under Article 28(3). These agreements specify:

• The scope and purpose of data processing (Article 28(3)(a))
• Security measures and data protection requirements (Article 32 GDPR)
• Procedures for handling data subject rights requests (Articles 15-22 GDPR)
• Data retention and deletion protocols (Article 17 GDPR)
• Incident reporting and breach notification procedures (Article 33-34 GDPR)
• Sub-processor management and authorization (Article 28(2) and 28(4) GDPR)

International Data Transfers

In compliance with Chapter V of the GDPR (Articles 44-49), some of our marketing tools transfer personal data to countries outside the European Economic Area (EEA), particularly to the United States. We ensure that such transfers are protected by appropriate safeguards as required by Article 46 GDPR, including:

• Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914)
• Adequacy decisions where applicable, including the EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795)
• Additional safeguards such as encryption, access controls, and regular security assessments
• Other legally recognized transfer mechanisms under Chapter V of the GDPR

You have the right to obtain information about these safeguards and request copies of the relevant documents in accordance with Article 15 GDPR.

Data Retention

In accordance with Article 5(1)(e) GDPR (storage limitation principle), personal data processed through our social media engagement tools is retained only for as long as necessary to fulfill the purposes outlined above, comply with legal obligations, or until you withdraw your consent (where applicable). Specific retention periods vary by tool and purpose:

• Engagement Analytics: Typically retained for 24 months for performance analysis and legitimate business interests
• Customer Communication Records: Retained for 36 months or as required by applicable law
• Marketing Preferences and Consent Records: Retained until consent is withdrawn or account deletion is requested, in compliance with Article 7(3) GDPR

We conduct regular reviews of retained data to ensure compliance with these retention periods and Article 17 GDPR (right to erasure).

Your Rights Under GDPR

Regarding data processed through our social media engagement tools, you have the following rights under Articles 15-22 and Article 7(3) of the GDPR:

• Right of Access (Article 15 GDPR): Request information about how your personal data is processed, including confirmation of processing, categories of data, purposes, recipients, and retention periods
• Right to Rectification (Article 16 GDPR): Request correction of inaccurate personal data without undue delay
• Right to Erasure (Article 17 GDPR): Request deletion of your personal data where certain conditions are met (also known as the “right to be forgotten”)
• Right to Restriction of Processing (Article 18 GDPR): Request limitation of processing activities under specific circumstances
• Right to Data Portability (Article 20 GDPR): Request transfer of your data to another controller in a structured, commonly used, and machine-readable format
• Right to Object (Article 21 GDPR): Object to processing based on legitimate interests, including profiling and direct marketing
• Right to Withdraw Consent (Article 7(3) GDPR): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal
• Right to Lodge a Complaint (Article 77 GDPR): Lodge a complaint with a supervisory authority if you believe your data protection rights have been violated

How to Exercise Your Rights

To exercise any of these rights or for questions about our social media data processing practices, please contact us using the following methods:

Data protection representative in the EU and data protection officer

We have appointed a data protection officer for our company. This person also acts as our data protection representative in the EU. You can reach him at:

SBS DATA PROTECT GmbH

by the Managing Director Mr Thilo Noack

Hans-Henny-Jahnn-Weg 49,

DE-22085 Hamburg

E-mail: [email protected]

Response Time: We will respond to your request within one month of receipt, as required by Article 12(3) GDPR. In complex cases, this period may be extended by two months with notification to you.

Identity Verification: To protect your personal data, we may require verification of your identity before processing your request, in accordance with Article 12(6) GDPR.

Right to Complain: In accordance with Art. 77 GDPR, you have the right to complain to a data protection supervisory authority about the processing of your personal data in our company. A list of the German data protection supervisory authorities and their contact details can be found at the following link: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html.

Legal Framework: This section complies with the General Data Protection Regulation (EU) 2016/679 and incorporates the requirements of Articles 13-14 (information to be provided to data subjects), Article 6 (lawfulness of processing), Articles 15-22 (data subject rights), Article 28 (processor requirements), and Articles 44-49 (international transfers).

This section was last updated: 08 July 2025

Next scheduled review: [08 January 2025)]