F24 Group Privacy Policy

Hereunder you will find an overview of the categories of personal data that we process for our own purposes. Per category of personal data we have specified from what categories of data subjects the data is collected, how the personal data is obtained, for what purpose we process the personal data, on what legal basis the processing of the personal data is based, for how long the personal data is retained and for whom the personal data is accessible.

Category: Contact details (such as your name, e-mail address and/or phone number)

• Categories of data subjects: every person that contacts us or otherwise provides us with their contact details as detailed here below.

• Obtained: directly from the data subject, provided to us through the contact form on our website, by creating an account or by any other means of contacting us or in contact with us.

• Purpose: to communicate with the data subject in the context of sales (including the conclusion of agreements) and aftersales and/or other subjects that are relevant in the relationship between us and the data subject.

• Legal basis: the data subjects consent to process its personal data, the performance of a contract with the data subject and/or our legitimate interests.

• Retention period: these personal data shall be retained for up to two years after the last contact with the data subject or up to two years after the performance of the contract that formed the legal basis for the processing. One month before the personal data are deleted, we shall inform the data subject about the upcoming deletion of the personal data so that the data subject can exercise any rights with regard to the personal data in time, if the data subject wishes to do so.

• Accessible to: to the extent necessary for the purpose of the processing, these personal data can be available to our sales team, our account managers and our technical team. Also we can be legally obliged to provide personal data to authorities. In principle, we do not share your personal data with other third parties. When we do share your personal data with others, we also make written agreements with them about the processing of your personal data. However. Software suppliers of F24 do have access to our systems. With these ‘processors’ within the meaning of the GDPR, F24 has made agreements to ensure the careful processing of your personal data.

We also process personal data through the use of cookies. More information regarding the processing of your personal data through the use of cookies can be found in paragraph II. of this Policy.

When using our Services we may store cookies on your devices, specifically on your web browser. These are small files that contain certain information related to the identification of your device. The following information may be stored:

Category: data obtained with the use of technical cookies (your preferred language)

• Categories of data subjects: website visitors.

• Obtained: through the deployment of the i18n_redirected cookie on our website.

• Purpose: to offer our website in the language that the data subjects prefers.

• Legal basis: our legitimate interest to provide our website in the preferred language.

• Retention period: 1 year

• Accessible to: our technical team. Also we can be legally obliged to provide personal data to authorities.

Category: data obtained with the use of analytical cookies (your IP address and actions on our website)

• Categories of data subjects: website visitors.

• Obtained: through the deployment of the hex (10) cookie on our website.

• Purpose: to register the data subjects interaction with our website.

• Legal basis: the data subjects consent to process the personal data.

• Retention period: session.

• Accessible to: our technical team, our sales team. Also we can be legally obliged to provide personal data to authorities

We do not make use of automated decision-making as only humans make decisions in our organization. We do not use computer-based profiling in our processes to make decisions.

We do not process any sensitive personal data and/or special categories of personal data. Further, our Services do not intend to collect data on website visitors who are under 16 years of age. Unless they have permission from parents or guardian. However, we cannot verify whether a visitor is older than 16. We therefore recommend that parents be involved in their children's online activities in order to avoid collecting data about children without parental consent. If you believe that we have collected personal information about a minor without such consent, please contact us at [email protected] and we will delete this information.

We endeavours to implement appropriate organisational and technical (security) measures to protect your personal data against unlawful access or alteration, disclosure or destruction. For example, [measures]

If, despite the security measures, there is a security incident (data breach) that is likely to have adverse effects on your privacy, we will inform you about the incident as soon as possible. We will then also inform you of the measures we have taken to mitigate the consequences and to prevent recurrence in the future.

In the unlikely event that you discover a security breach or suspect that the security of your personal data is not properly guaranteed, please contact us immediately. We have procedures in place to handle these reports adequately and carefully in accordance with the applicable legislation.

In principle, we do not share your personal data outside the European Economic Area (EEA). If we transfer your personal data to countries outside the EEA, we will only do so under the conditions required by privacy legislation (inter alia, we will make effort to ensure that an adequate level of protection exists and will put in place contractual, technical and organisational safeguards where necessary, for example by means of a contract to which the EU Model Clauses (SCCs) apply and any additional measures where required by law). If we are not assured of an adequate level of protection, we will inform you accordingly and seek your consent to the transfer of your personal data. In doing so, foreign authorities may demand access to your data or you may not be able, or less easily, to appeal to a court. You can withdraw this consent at any time. Your preference will then be adjusted. This has no consequences for the processing that has already taken place. We use servers outside the European Economic Area, but make an effort to anonymise stored data as much as possible.

Data subjects have the following rights concerning the processing of their personal data:

• Data subjects can request information about and access to the personal data that we process about them. This merely means that Data subjects can ask what personal data has been recorded about them and for what purposes that personal data is used and with which third parties it is shared.

• Data subjects can object to the processing of their personal data, for example if they be-lieve that the use of their personal data is not necessary for the execution of our activities or to comply with a legal obligation.

• Data subjects can request us to have their personal data amended/corrected and/or to restrict the processing of your personal data.

• Data subjects can ask us to delete their personal data from our systems.

• Data subjects can ask us to arrange for their personal data to be transferred to another party

• Data subjects can withdraw consent for the processing of their personal data at any time. Please note that data subjects cannot withdraw their consent for personal data previously processed on the basis of their consent.

Requests and other communications regarding the exercise of the aforementioned rights can be made in writing using the contact details below. If we deem it necessary, we may ask additional questions to verify the data subjects identity. Wel will generally reply to requests within one month of receiving the request. We will comply with requests, unless we have a compelling legitimate interest not to comply with a request that outweighs the privacy interest of the data subject that made the request. Also, for technical reasons, we cannot (always) immediately delete all copies of personal data from our systems and backup systems. We may also refuse to comply with the aforementioned requests if they are made unreasonably frequently, require unreasonable technical effort or have an unreasonable technical impact on our systems or jeopardise the privacy of others.

If we have complied with a request to correct, supplement or delete personal data, or if a data subject has withdrawn previously given consent to process their personal data, we will also inform third parties to whom these personal data has been provided of the changes made.

If a data subject is not satisfied with the way we have dealt with a request or objection or otherwise with the processing of personal data by us, the data subject can also lodge a complaint about the use of their personal data with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) via: https://autoriteitpersoonsgegevens.nl/een-tip-of-klacht-indienen-bij-de-ap.

Please be aware that this Policy can be changed from time to time. Therefore, we advise to check this Policy regularly. In case of material changes, we shall inform data subjects to whom the material changes are relevant of the material changes.