Dear All,

We would like to present you with our Privacy Policy. As this policy will help you make informed decisions about your relationship with us, please read it carefully.

Introduction

This document contains our Privacy Policy, i.e. the principles that guide us in the processing of personal data. This document also contains the content of the information obligations that, in accordance with the law, must be presented to the data subjects, i.e. you. Before we get into the details, we would like to highlight some of the key principles of personal data protection. They are important to us because we know that they are also important to you.

The Privacy Policy has four purposes: 1. An explanation of how we use the information you provide to us to better tailor our products and services to your expectations; 2. Ensuring that all information about the processing of your data is presented in a clear and transparent manner; 3. Assuring you that the personal data processed by us is safe in relation to the threats that arise in the processes of its processing; 4. Ensuring transparency in contacts with us, so that the implementation of the right to privacy is always guaranteed.

All the information we collect is directly or indirectly related to our activity, i.e., the creation of a comprehensive, tailor-made software service with the use of state-of-the-art technological solutions.

We are the controller of your personal data, which means that we decide on the purposes and means of its processing. In practice, it should be remembered that X-CODE sp. z o.o. with its registered office at ul. Klaudyny 21 lok. 8, 01-684 Warsaw is the entity that is responsible for your personal data. For any questions or concerns regarding your personal data, please contact the Data Protection Officer at: iod@x-code.pl. In general, all personal data processed by us is divided into the processes by which it is processed based on the main purpose behind the processing and the category of data subjects. These are:

1. Recruitment

The personal data of job candidates is processed in order to efficiently carry out the process of selecting job candidates and to select the most suitable person for a specific position. Your personal data is processed in this process based on your consent. It is worth noting that consent may be expressed for the processing of personal data in order to participate in a specific recruitment as well as for the purposes of future possible recruitment processes. We are open to specialists who want to achieve success together with us. In the process, we store your application documents for a period of 2 years from the end of the recruitment process. After this period of time, your data (if we do not cooperate) will be completely removed from our resources. Providing personal data is completely voluntary; however, some information, in

particular about your professional experience, is very important due to the purpose we want to achieve. Your personal data in this process may be entrusted to external entities participating in the recruitment process; however, we would like to point out that these entities remain under our constant supervision and ensure at least the same level of personal data security as we do.

2. Marketing process

The personal data of customers and potential customers (prospects) are processed in order to provide the opportunity to present our products and services, to answer your enquiries and to carry out active marketing through selected communication channels or to publish an image from participation in industry events. Your personal data will be processed in this process on the basis of your consent (marketing through selected communication channels) or for the purpose of concluding a contract in the case of enquiries addressed to the company, as well as for the purpose of Newsletter subscription. In addition, your data is processed on the basis of the so-called legitimate purpose of the personal data administrator when we recommend the company’s services in personal contacts or create statistics and marketing reports. Providing personal data in this process is voluntary, but failure to do so will prevent us from answering the enquiry or presenting our offer in a manner tailored to your individual needs. In the process, your personal data is stored for 3 years after your revocation of consent, if one was granted. In the remaining scope, also for 3 years from the end of the newsletter service, i.e. from the last active action on personal data or your request for quotation. After this period of time, your data (if we do not cooperate) will be completely removed from the company’s resources. Your personal data in this process may be entrusted to external entities involved in the marketing process (e.g. mailing service providers); however, we point out that these entities remain under constant supervision of the company and ensure at least the same level of personal data security.

3. Provision of services

The personal data, in particular of solo entrepreneurs, civil partnerships as well as representatives of legal persons, are processed for the purpose of fulfilling a contract for the provision of services. Your personal data in this process is processed in order to fulfil our obligations under the law (mainly tax law) and for a so-called legally justified purpose, such as reporting and statistical activities. In the process, we will store your personal data for a period of 6 years after it has been archived, i.e. after the last activity in connection with issuing an accounting document to you. Providing personal data is voluntary, but the failure to do so will prevent us from performing the contract or issuing an accounting document. Your personal data in this process may be entrusted to external entities participating in the process; however, we would like to point out that these entities remain under our constant supervision and ensure at least the same level of personal data security as we do.

4. Counterparties and suppliers

The personal data of representatives of our counterparties, i.e. solo entrepreneurs, civil partnerships and representatives of legal persons, are processed in order to fulfil contractual obligations. Your personal data in this process is processed on the basis of a contract (even if it is not recorded in writing), in order to fulfil our obligations under the law (mainly tax law) and for a legally justified purpose, which is the fulfilment of the contract with the counterparty (usually your employer). In the process, we store your personal data for a period of 6 years from its archiving, i.e. from the last activity related to the performance of the contract with the counterparty. Providing personal data is voluntary, but the failure to do so will prevent us from performing the contract concluded with the counterparty. Your data may be provided by a counterparty (e.g. your employer). Your personal data in this process may be entrusted to external entities participating in the process; however, we would like to point out that these entities remain under our constant supervision and ensure at least the same level of personal data security as we do.

5. Access control

Personal data is also processed to ensure the safety of people and property in our locations. Your personal data in this process is processed on the basis of a legally justified purpose, which is the above-mentioned security. In the process, we store your personal data for a period of 3 months to 2 years from its archiving, depending on the location, i.e., recording your image by video monitoring. Providing personal data in this process is also voluntary, but the failure to do so will make it impossible to enter the protected area. Your personal data in this process may be entrusted to external entities participating in the access control process; however, we would like to point out that these entities remain under our constant supervision and ensure at least the same level of personal data security as we do.

Your rights We wanted to emphasise that we guarantee each person whose data we process the exercise of the following rights:

· the right to access the content of the data – you can ask us to describe the processing of your personal data specifically and to provide any personal data collected about you. However, we would like to point out that excessive exercise of this right will hinder our work, so please be reasonable in exercising it;

· the right to rectify data – we make every effort to always process the most up-to-date data about you, but if it turns out that the data that we process is incorrect, you can always ask us to correct it;

· the right to erase data – if you no longer wish us to process your personal data, you can always ask us to erase it. However, we would like to point out that the right to erase data cannot be exercised in every case as some of the data must be retained in some cases due to legal regulations binding on us;

· the right to limit processing – if you find that the data we process for some reason should not be deleted after the above-mentioned periods of time, you can ask us for its further storage;

· the right to data portability – if it turns out that we process your personal data in IT systems, you can ask us to transfer it to another service provider. However, we would like to point out that this right applies only to the data that you have provided to us yourself;

· the right to object – you can always contact us to object to the processing of specific personal data for a specific purpose. In any such case, your objection will be considered and your comments taken into account in the future processing of your data;

· the right to withdraw consent – you can withdraw your consent to process personal data at any time, but all actions that we performed on your data before its withdrawal will remain valid;

· the right to lodge a complaint – if you believe that we are infringing your right to privacy, you can always turn to the President of the Office for Personal Data Protection with a complaint, but we encourage you to resolve any concerns amicably before you do so.

Summary

To sum up, we make every effort to ensure that the processing of your personal data encroaches on your privacy as little as possible; however, if at any stage of the processing of your personal data there are doubts as to the compliance of such activities with the law, please contact: iod@x-code.pl