Privacy policy of WITTCHEN S.A.

1. General Provisions

These provisions constitute a privacy policy (hereinafter referred to as the "Privacy Policy") which defines the legal basis for the processing of personal data and information regarding the collection and usage of personal data by WITTCHEN S.A. with its registered office in Palmiry, ul. Gdańska 60, 05-152 Czosnów, NIP: 9511022154, REGON: 011664266, KRS: 0000352760 (hereinafter: "WITTCHEN"). The Privacy Policy constitutes an integral part of the Terms and Conditions of the WITTCHEN Online Shop. Before using the Online Shop, the Buyer should read the Privacy Policy.

WITTCHEN uses personal data for the purposes indicated in the Privacy Policy, as well as for other purposes, with the latter being clearly defined each time in the Information Clauses shown to Clients.

The Controller shall take special care to protect the interests of the data subjects whose data it processes. The Controller collects and processes personal data:

• in accordance with generally applicable legislation;
• for the specific purposes indicated in the Privacy Policy and for other purposes, but in any case the latter are clearly set out in the Information Clauses;
• appropriate to the objectives and responsibilities pursued;
• in accordance with the presently required retention periods – for no longer than is necessary to ensure the fulfilment of individual processes, rights and obligations, and in accordance with the deadlines set by law;
• in accordance with the applicable data processing security standards, in particular, Controller protects against unauthorised and unlawful data processing, loss, damage, destruction or corruption by applying the necessary technical, organisational and procedural measures.

2. Definitions

Controller - WITTCHEN S.A. with its registered office in Palmiry at ul. Gdańska 60, 05-152 Czosnów.

Personal data - information about a natural person identified or identifiable by one or more factors specific to physical, physiological, genetic, mental, economic, cultural or social identity.

Information clause - any information provided in the event of data collection by the Controller resulting from Art. 13 or 14 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.

Customer – i) a natural person, including a consumer (i.e. performing a legal act not directly related to their business or professional activity), who has the capacity to perform legal acts and/or is at least 13 years of age, however, in the event of this person being younger than 18, the consent of their statutory representative or legal guardian is required, as well as ii) a legal person and an organizational unit that is not a legal person, to which special provisions grant legal capacity, who uses or intends to use the Website, including the Online Shop and/or in the cases described in the Terms and Conditions of the Online Shop.

GDPR - Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.

Processing entity - a natural or legal person, public authority or other entity that processes personal data on behalf of the Controller.

Profiling - this is any form of automated processing of Personal Data. Through profiling, it is possible to assign an individual, specific offer that is personalised for an individual Customer.

Processing - operations or a set of operations performed on Personal Data, e.g. collecting, recording, organising, structuring, storing, adapting or modifying, retrieving, viewing, using, disclosing by transmission, disseminating or otherwise making available, matching or linking, restricting, erasing or destroying.

Pseudonymisation - a processing of personal data in such a way that it cannot be attributed to a particular, specific data subject.

Online Shop - the Controller's website available at https://www.wittchen.com/en-US, enabling electronic trade related to the sale of WITTCHEN brand products.

Consent - a specific, informed and unambiguous demonstration of will by which a data subject, by means of a statement or a clear affirmative action, consents to the processing of Personal Data related to this data subject.

3. Data processing related to the usage of the Online Shop

In connection with the user's usage of the Online Shop, the Controller collects data to the extent necessary to provide the individual services offered, as well as information about the user's activity in the Online Shop. The specific principles and purposes of the processing of Personal Data collected during the user's usage of the Online Shop are described below.

4. Legal basis

All personal data shall be processed in accordance with applicable Polish and EU law, in particular the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in relation to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

The Controller collects and processes personal data when:

• the data subject has given their consent to the processing (for a well-defined purpose) – in accordance with Art. 6(1)(a) of the GDPR;
• the data subject has entered into a contract with WITTCHEN (in particular a contract of sale or purchase or a commercial contract or a contract for the provision of services by electronic means), or seeks to enter into or terminate such a contract and to perform its provisions or other actions related to the contract – pursuant to Art. 6(1)(b) of the GDPR;
• it is necessary in order to comply with a legal obligation incumbent on the Controller – pursuant to Art. 6(1)(c) of the GDPR;
• it is necessary to pursue the legitimate interests of WITTCHEN or of third parties, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of the Personal Data, in particular where the data subject is a child – pursuant to Art. 6(1)(f) of the GDPR.

The Controller processes Personal Data only if the prerequisites of the above-mentioned legal grounds are met. Specific examples, together with the stated legal basis for the processing of Personal Data, are indicated below in the Privacy Policy – in relation to the particular purpose for which the Controller processes Personal Data. For example, if the Customer decides to purchase from the Online Store and chooses personal collection of the purchased Product instead of courier delivery, their personal data will be processed for the purpose of executing the concluded Sales Agreement, however, they will not be made available to the carrier carrying out the delivery on behalf of the Controller.

5. Contact with the Data Controller

To contact the Data Controller in order to exercise your rights in relation to data protection and to obtain other information in connection with data processing by WITTCHEN, please address your requests:

• in writing to the following address: Palmiry, ul. Gdańska 60, 05-152 Czosnów, with a note ("to the Personal Data Controller");
• electronically to: ado@wittchen.com.

6. Displaying the WITTCHEN website

We would like to inform you that when you view the WITTCHEN website at https://www.wittchen.com/en-US in available web browsers, information is exchanged between your mobile device, computer or other device and the WITTCHEN servers. All information collected in connection with the display of the website is used for the smooth functioning of the IT processes taking place on the WITTCHEN website or other processes taking place in your browser. When you view contents of the https://www.wittchen.com/en-US website, your browser may transmit the following information: your IP address, the time of entry and exit, the name and URL address of the file displayed, the page or application from which the entry occurred. This data is transmitted in order to ensure the security and stability and the comfortable and uninterrupted use of the Website. The above data shall be processed in accordance with Art. 6 sec. 1(f) of the GDPR – in accordance with the aforementioned purposes.

The above-mentioned data are stored only for the duration of your stay at the WITTCHEN Online Shop and are then automatically deleted when you close this website, unless you have made a purchase of a given product(s) available in the Online Shop. In the event of a purchase of product(s), your data referred to above may be stored for one year, for the period of performance of the contract, for the period resulting from tax and accounting regulations and for the time necessary to pursue possible claims on the part of WITTCHEN (in accordance with the applicable legal provisions).

If you use the search engine for WITTCHEN brand retail outlets (available at: https://www.wittchen.com/en-US/our-stores), your browser, based on your consent to the disclosure of your geolocalisation data, is able to process this data in order to find the nearest shop in your area. We would like to inform you that such data is not stored in any way by WITTCHEN and is automatically deleted when you close the website.

7. Purposes of data processing

Your Personal Data is processed each time for a specific purpose, according to a specific legal basis. The following is a description of selected processes related to the Processing of Personal Data:

8. Data retention

We store your data, depending on the purpose and legal basis, for the following period of time:

• for the conclusion and performance of the contract – we store your data for the duration of the contract (e.g. sales contract, commercial contract and others);
• for direct marketing purposes – we store your data until you have expressed an effective and legitimate objection;
• for marketing purposes – we store your data until you withdraw your Marketing Consent;
• for the assertion or defence of possible claims – we store your data until the expiration of the statute of limitation for the claim in question (as required by law);
• for the purpose of processing a complaint or other request – we store your data until the complaint has been resolved and afterwards for the period of the statute of limitations for claims (resulting from the case);
• for tax and accounting purposes, for the period required by law;
• for other purposes – we may store your data for other purposes, with a strictly defined retention time (for the specific purpose of processing), however, we will always inform you of any rights and obligations you have by providing you with Information Clauses for any specific case.

We process your data for no longer than is necessary for a specific purpose or the aforementioned obligation under applicable law. The Controller regularly reviews all databases and data carriers and deletes redundant data or the data is deleted automatically.

9. Monitoring (Shops/Registered Office)

We would like to inform you that when you are in the area of official WITTCHEN brick and mortar shops (list of shops available at: https://www.wittchen.com/en-US/our-stores), as well as at the Controller's office premises, we process your data in the scope of your image, recorded via video surveillance. The data in the above-mentioned scope is collected directly from you when you are in WITTCHEN brick and mortar shops or when a business meeting takes place between the Company's partners, as well as job candidates (and in all other cases when a given person is on the premises of WITTCHEN). The recorded data is processed to ensure the safety of persons and the protection of property, and to maintain the secrecy of confidential and business information located in the aforementioned areas. Your personal data will be processed for a maximum period of 90 days or until the end of the proceedings in situations where it constitutes evidence in a court case, enforcement, mediation and other cases (in accordance with the law). The recipients of the data are our employees, collaborators and other authorised entities (public authorities and entities cooperating with the Company under separate agreements). Details concerning the processing of data in the scope of video surveillance can be found on Information Clauses available in official WITTCHEN shops and at the reception desk at the Controller's registered office.

10. Contact form

The Controller shall provide technical solutions for contacting them by means of an electronic form. Personal data of persons using the contact form (including, but not limited to: name, surname, telephone number, e-mail address), will be processed by the Controller in order to identify, send and process the query sent by the user via the form provided – the legal basis of the processing is the Controller's legitimate interest.

The provision of data marked as mandatory is required by the Controller in order to receive and handle the user's inquiry. Failure to provide this data makes it impossible to process the inquiry. The provision of other types of data is voluntary. However, user may provide them in order to facilitate contact with the Controller or processing of their inquiry.

11. Newsletter

The Personal Data Controller is WITTCHEN S.A. with its registered office in Palmiry at ul. Gdańska 60, 05-152 Czosnów, NIP: 9511022154, REGON: 011664266, KRS: 0000352760.

The Controller may process the Personal Data of persons who have subscribed to the Newsletter for the following purposes:

• performance of the Newsletter delivery agreement – Art. 6 sec. 1(b) of the GDPR – necessity for the performance of the concluded contract in order to send commercial information, attractive advertisements, promotions and offers to the user, e.g. by means of e-mails or similarly applicable communication channels;
• marketing (and remarketing), analytical and statistical activities of the Controller or its partners (e.g. advertising agencies) or other so-called third parties with which the Controller or a partner cooperates, e.g. presenting the Controller's advertisements and offers to users, also ones tailored to the user's interests on the basis of profiling, thanks to which the Controller can better adapt themselves not only to specific, general groups of customers, but also to the given customer's preferences. The Controller's actions do not substantially affect the user's purchasing decisions – Art. 6 sec. 1(f) of the GDPR, i.e. the legitimate interest of the Controller or a third party;
• establishing, protecting and pursuing claims that may arise in the context of the relationship between the user and the Controller, and other purposes that are necessary for the Controller's or a third party's legitimate interests – Art. 6 sec. 1(f) of the GDPR, i.e. a legitimate interest pursued by the Controller or by a third party.

The provision of Personal Data is voluntary, but necessary in order to conclude the Newsletter service agreement.

The user can opt out of Newsletter at any time. However, the User's personal data will continue to be stored in the Controller's database for archiving purposes, for the possible defence, establishment or assertion of claims related to the Newsletter and to ensure that the Controller is able to demonstrate compliance with the law in carrying out activities related to the Newsletter, receiving consent to receive the Newsletter and resignation from the Newsletter, which constitutes the Controller's legitimate interest. The data will be deleted after the expiry of the limitation period for contractual claims and the expiry of the period by which the Controller may be subject to inspection by a supervisory authority regarding the legality of the Newsletter activities carried out.

The Controller will process the User's Personal Data for the period necessary for the performance of the contract (execution of the newsletter), for the User's objection, as well as for the period required by law (e.g. tax law), unless a longer period is due to their retention in case of possible claims.

Information on Recipients of Personal Data is described in paragraph 16 of this Privacy Policy.

Information on the possible transfer of Personal Data to third countries (outside the European Economic Area) is detailed in paragraph 17 of this Privacy Policy.

The rights a person has in relation to the processing of their Personal Data are detailed in paragraph 18 of this Privacy Policy.

12. Marketing

The Controller processes users' Personal Data in order to carry out marketing activities. These may consist in sending emails or SMS messages about offers or content, which in some cases may contain commercial information (newsletter service). The newsletter service is provided by the Controller to persons who have provided their e-mail address for this purpose.

Personal data of individuals (including e-mail address or telephone number) are processed by the Controller:

• for the provision of the newsletter mailing service – the legal basis for processing is the consent given by the user by accepting the relevant check-box or activation link received in the email to receive newsletters;
• for marketing purposes of the Controller or its partners acting on behalf of the Controller (e.g. advertising agencies) or other so-called third parties with whom the Controller or a partner cooperates, e.g. presenting the Controller's advertisements and offers to users, also tailored to the user's interests on the basis of profiling, thanks to which the Controller can better adapt themselves not only to specific, general groups of Customers, but also to the given Customer's preferences. The Controller's actions do not substantially affect the user's purchasing decisions;
• for analytical and statistical purposes, in which case the legal basis for the processing, which consists in conducting statistical analyses of the effectiveness of our marketing activities, is the Controller's legitimate interest in improving our marketing communications;
• for the purpose of conducting commercial and marketing activities by means of telecommunications terminal equipment, including automated calling systems (e.g. SMS) or sending commercial information by e-mail, as well as reminding the user about an abandoned shopping cart in the Online Shop by the Controller or its partners (e.g. advertising agencies) or other so-called third parties with whom the Controller or a partner cooperates – then the legal basis for processing is the consent given by the user by accepting the relevant check-box to receive commercial and marketing information;
• for the purposes of possible establishment and investigation of claims or defence against claims – the legal basis of the processing is the legitimate interest of the Controller to protect their rights.

Provision of the data presented above is required by the Controller in order to provide the marketing and newsletter service. Failure to provide this data prevents us from sending you marketing communications or providing a newsletter service.

Information on Recipients of Personal Data is described in paragraph 16 of this Privacy Policy.

Information on the possible transfer of Personal Data to third countries (outside the European Economic Area) is detailed in paragraph 17 of this Privacy Policy.

The rights a person has in relation to the processing of their Personal Data are detailed in paragraph 18 of this Privacy Policy.

13. Business partners

These provisions also apply to persons who are bound to WITTCHEN by a cooperation agreement, who contact the company with a view to concluding a partnership relationship or who are in the process of negotiating an agreement between the parties. The extent of the data processed depends on the specific individual case and the nature of the contract in question. Examples of data collected for this type of contract include: first name, surname, position, residential address, e-mail address, mailing address, date and place of birth, nationality, identity card number and series, specimen signature, KRS number, Tax ID number, REGON number, payment details. The legal basis for data processing is the Art. 6 sec. 1(b) and (f) of the GDPR. At WITTCHEN, access to this type of agreements is granted to the departments dealing with the procedure and negotiation of such agreements, as well as to the legal and accounting departments and other departments having a legitimate interest, including other entities cooperating with WITTCHEN (service providers and subcontractors), however, they perform their activities only to the extent indicated in the entrustment and data sharing agreements.

14. Competitions

WITTCHEN organises many competitions to promote the WITTCHEN brand. All detailed information about the competitions can be found on the WITTCHEN website in the available competition regulations and on Facebook and Instagram. Unless otherwise stipulated in terms and conditions of the competition and unless you have given your consent for your data to be processed for another purpose not related to the competition in question, your data will only be used for competition purposes.

15. Social media

In order to keep you informed about new products, promotions or competitions, WITTCHEN provides all information via social media (Facebook, Instagram, YouTube). The Personal Data of social media users is processed by the Controller in connection with the running of Controller's profile of a particular social media service, in particular to promote events organised by the Controller (including competitions), services, marketing campaigns and products sold by the Controller.

Information on processing of personal data on social media is available at:

• Facebook: https://www.facebook.com/policy.php,
• YouTube: https://policies.google.com/privacy?hl=pl&gl=pl,
• Instagram: https://www.facebook.com/help/instagram/155833707900388.

16. Data Recipients

For the proper functioning of the Online Shop, including the performance of concluded Sales Agreements, it is necessary for the Controller to make use of services provided by external entities (such as e.g. software provider, delivery service or payment processing entity, as well as advertising agencies or other entities organizing, conducting or cooperating with or intermediating in the organization or performance of the Controller's marketing campaigns). The Controller shall only use such processing entities that provide sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the GDPR Regulation and protects the rights of the data subjects.

The transfer of data by the Controller does not take place in every case and not all recipients or categories of recipients indicated in the Privacy Policy receive them – the Controller transfers data only when it is necessary for the fulfilment of a given purpose of personal data processing and only to the extent necessary for its fulfilment. For example, if the Customer collects the purchased items in person, their data will not be transferred to the carrier cooperating with the Controller.

Personal data may be transferred to, among others, the following recipients or categories of recipients:

• carriers/forwarders/courier brokers – in the case of a Customer who uses the courier delivery method in the Online Shop, the Controller makes the collected personal data of the Customer available to the selected delivery service, forwarder or broker executing the shipment on the order of the Controller to the extent necessary to execute the delivery of the Product to the Customer;
• entities handling electronic or card payments – in the case of a Customer who uses the electronic or card payment method in the Online Shop, the Controller shall make the collected personal data of the Customer available to a selected entity processing the payments mentioned above in the Online Shop on the order of the Controller to the extent necessary to handle the payment made by the Customer;
• entities running marketing campaigns for the Controller;
• entities carrying out audits (financial, legal, other) at the Controller's premises;
• entities providing legal advice, participating in legal, mediation, enforcement and other proceedings in the name and on behalf of the Controller, as well as notary offices or tax advisors;
• entities operating IT systems (IT, payment and other systems);
• entities authorised by law, in particular: Offices (e.g. Tax Office in the case of a tax audit), the Police, Courts and others when the law so provides;
• other entities of the Wittchen S.A. Capital Group.

17. Transmission of data outside the European Economic Area

In the context of the Controller's or its partner's use of tools to support the Controller's day-to-day operations provided, for example, by Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland or Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (Meta), Customer Personal Data may be transferred to a country outside of the European Economic Area where its cooperating entity maintains a tool for processing Personal Data in cooperation with the Controller.

The Controller has adequately safeguarded the transfer of Personal Data through the use of standard data protection clauses adopted under the European Commission Decision and data entrustment agreements for data processing that meet the requirements of the GDPR. In the case of transfer of data to countries outside the European Economic Area, the Controller shall make every effort to ensure that its partners provide an adequate level of protection by taking additional security safeguards for Personal Data.

18. The rights of data subjects

Each Customer shall have the following rights:

• right of access to data – you have the right to access information on which data we process (pursuant to Art. 15 of the GDPR);
• right to request rectification of data – you have the right to update the data provided to WITTCHEN (pursuant to Art. 16 of the GDPR);
• right to erasure (right to be forgotten) – you have the right to have your data erased if it has been unlawfully processed or the data is no longer necessary for the purposes for which it was collected (pursuant to Art. 17 of the GDPR);
• right to restrict data processing – you have the right to restrict data processing where the Controller no longer needs the data for the purposes for which they were processed, the data are inaccurate, or its processing is not compliant with the applicable law (pursuant to Art. 18 of the GDPR);
• right to data portability – you have the right to transfer the data to another Data Controller and to receive your data in a structured, commonly used machine-readable format (pursuant to Art. 20 of the GDPR);
• right to withdraw consent – you have the right to withdraw any freely given consent at any time, with the withdrawal of consent not affecting the processing lawfully carried out by the Controller prior to its withdrawal (pursuant to Art. 7 sec. 3 of the GDPR);
• right to object – you have the right to object where the processing is carried out for the purposes of the legitimate interests of the Controller or a third party, including in particular to processing for marketing purposes, including profiling, where there are no other valid legitimate grounds for processing overriding the interests of the Customer (pursuant to Art. 21 of the GDPR);
• right to lodge a complaint with a supervisory authority – the person whose data is processed by the Controller has the right to lodge a complaint with a supervisory authority in the manner and mode specified in the provisions of the GDPR and Polish law, in particular the Personal Data Protection Act. The President of the Personal Data Protection Office is the supervisory authority in Poland.

In order to exercise the rights referred to above, the Controller should be contacted by sending an appropriate message in writing or by e-mail to the address indicated in the paragraph 5 of the Privacy Policy.

19. Voluntary provision of data

Each instance of the provision of your data is voluntary. To the extent specified in the Terms and Conditions of the Online Shop, the provision of data is necessary in order to conclude a Contract (e.g. Purchase and Sale Agreement, Service Agreement). If you place an order via the website https://www.wittchen.com/en-US, you can provide your data without giving your consent to its processing for the purpose of: receiving the newsletter, giving feedback on your purchase, receiving e-mails or SMS messages about current promotions (marketing) and/or receiving SMS messages about the status of your order. If you have given your Consent to the processing of your data for the above purposes, you may withdraw this Consent at any time via the contact provided in paragraph 5 of the Privacy Policy, whereby the withdrawal of consent does not affect the compatibility of the processing prior to its withdrawal.

20. Profiling

In order to provide the most advantageous, tailored, personalised offer to the Customers and Users this data pertains to, and in the case of the data subject's explicit Consent, the Controller may use "profiling".

Profiling in the Online Shop involves the automatic analysis or forecast of a given person's behaviour on the Online Shop website, e.g. adding a specific Product to the cart or browsing the page of a specific Product in the Online Shop, or by analysing the previous history of purchases made in the Online Shop. The condition for such profiling is that the Controller has the person's data in order to be able to subsequently send the person, for example, a discount code. The effect of the use of profiling in the Online Shop may be, for example, to grant a person a discount, to remind them of unfinished purchases, to send them a proposal for a Product that may match the person's interests or preferences or to offer better conditions compared to the Online Shop's standard offer. Despite the profiling, it is the Customer who freely decides whether they wish to take advantage of the discount or better conditions received in this way and make a purchase from the Online Shop.

21. Cookies

Cookies are small text files installed on the device of the Customer browsing the Online Shop. Cookies collect information to facilitate the use of the website – for example, by remembering the user's visits to the Online Shop and actions taken there. A detailed description of the cookies used on the website is available in the tool for managing cookies (link available in the footer of the website, under 'Manage cookies'). Below is a general description of the categories of these tools we use in the Online Shop.

• Essential cookies - The Controller uses so-called essential cookies primarily to provide the user with services provided electronically and to improve the quality of these services. Our use of essential cookies is necessary for the proper functioning of the website. These files are installed in particular for the purposes of remembering login sessions or filling forms, as well as for setting privacy options.
• Analytical Cookies - Analytical cookies allow us to check the number of visits and traffic sources on our website. They help us to identify which pages are more and which are less popular, and to understand how users navigate the website. This allows us to study statistics and improve the performance of the Online Shop. The information collected by these cookies is aggregated and is therefore not intended to establish your identity. If you do not allow these cookies, we will not know when you have visited our website.
• Funkcjonalne pliki cookies - Funkcjonalne pliki cookie zapamiętują i dostosowują Sklep Internetowy do wyborów użytkownika, takich jak preferencje językowe. Jeśli nie zezwolisz na te pliki cookie, nie będziemy w stanie analizować Państwa wyborów i odpowiednio je dostosowywać.
• Functional cookies - functional cookies remember and adapt the Online Shop to your choices, such as language preferences. If you do not allow these cookies, we will not be able to analyse your choices and adapt them accordingly.
• Marketing cookies - Advertising - marketing and advertising cookies allow us to tailor the advertising content displayed to your interests, not only on the Online Shop, but also outside it. They may be installed by advertising partners via our website. Your interest profile is built based on the information from these cookies and activity on other websites. Marketing and advertising cookies do not store your personal data directly, but identify your web browser and hardware. If you do not allow these cookies to be used, we will still be able to display advertisements to you, but they will not be tailored to your preferences.

The WITTCHEN online shop located at ://www.wittchen.com/en-US uses cookies listed on the "CookiePro" platform which ensures transparency and user control over the cookies (including storing information related to the extent of the user's consent to the cookies used for a given domain) used in the Online Shop (the data is deleted after the expiration of the time set in the tool or following the withdrawal of the consent of the Online Shop user, or at any other time in accordance with the data indicated via the "CookiePro" panel). The website https://www.wittchen.com/en-US uses CookiePro technology, i.e. a CookiePro consent management platform that provides transparency and user control over the cookies used in the Online Shop.

The tool provides functionalities such as:

• a view allowing the user to select their preferences regarding the use of cookies, categorised into: (i) performance cookies, (ii) functional cookies, (iii) cookies related to advertisements and their recipients,
• a view which allows the user to verify strictly essential cookies, i.e. cookies necessary for the proper functioning of WITTCHEN websites.

In addition, WITTCHEN's services also use the so-called Third-party cookies, which are used, among other things, to collect statistical data and data used to verify the use of the sites by their users, as well as to personalise marketing messages (e.g. by providing tailored advertising based on the user's activity or retargeting, i.e. providing the customer with specific advertising on other Internet sites).

Google Analytics is used for the above purposes. It is a publicly available tool for analysing website usage and producing reports on user activity. Google Analytics generates information regarding the URL, the type of browser used by the user, the user's IP address and the operating system used. The tool determines data on the number and length of the visits to the servers and collects data on which parts of the visited website are most frequently utilized by users (analysing their functionality). On the basis of an analysis of the data obtained in this way, it is possible to determine the efficiency and usability of WITTCHEN websites and their individual parts for the purpose of subsequent management of the development of new services and functionalities.

Detailed information on the scope and principles of data collection in connection with this service can be found at the following link: https://policies.google.com/technologies/partner-sites?hl=en.

The Controller declares that it has partnered with Microsoft Clarity and Microsoft Advertising to record the use of and interaction with the Online Shop using behavioural metrics, heat maps and session replay to improve and promote products/services in the Online Shop. Data on the use of the Online Shop is recorded using first-party and third-party cookies and other tracking technologies to determine product/service popularity and online activity. Furthermore, the Controller informs that it uses this information for the optimisation of the Online Shop, advertising and security/protection from fraud. For more information on how Microsoft collects and uses your data, visit https://www.microsoft.com/en-us/privacy/privacystatement.

The Controller informs that it also cooperates with other companies that provide tools in the field of security and marketing (advertising) activities referred to above. For the purposes of this collaboration, browser or other software installed on user's device will also store cookies from entities carrying out such marketing activities. The cookies sent by these entities are intended to ensure safe use of the Online Shop and to present the user with advertisements that correspond to their individual interests and needs. Please refer to the privacy policy of the respective partner for further details.

As part of its marketing activities, the Controller uses the services of entities that use cookies in the Online Shop. A list of the entities can be found under "Cookies related to advertising and their recipients" under the link "Third-party cookies" in the "Manage cookies" tab available in the Online Shop.

Please note that the standard settings of your web browsers allow for the storage of files on your terminal equipment, thus enabling the processing of data acquired in this way.

Users always have the possibility to change their cookie settings independently and at any time, specifying the conditions for storing and accessing cookies on the Users' Devices. The user can change the settings referred to in the previous sentence via the settings of his or her browser or via the configuration of the aforementioned service. Below you will find links to web browsers (including information on how to modify their settings on your devices):

• Chrome
  (https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DDesktop&hl=pl)
• Internet Explorer
  (https://support.microsoft.com/pl-pl/help/278835/how-to-delete-cookie-files-in-internet-explorer)
• Firefox
  (https://support.mozilla.org/pl/kb/usuwanie-ciasteczek-i-danych-stron-firefox?redirectlocale=pl&redirectslug=usuwanie-ciasteczek)
• Opera
  (https://help.opera.com/pl/latest/web-preferences/#cookies)
• Microsoft Edge
  (https://support.microsoft.com/pl-pl/help/10607/microsoft-edge-view-delete-browser-history)
• Safari
  (https://support.apple.com/pl-pl/guide/safari/sfri11471/mac)

These settings may be changed, in particular, in a way resulting in blocking automatic cookies management in the browser settings, or informing about every instance of placing cookies on the user's device. Restricting the use of cookies may affect some of the functionalities available on the WITTCHEN website. Detailed information on the possibility and handling of cookies is available in the settings of your software (web browser).

The use of cookies to collect data through them, including accessing data stored on your device, requires your consent. The Online Shop receives user's content via a cookie banner. This consent can be withdrawn at any time according to the rules described below.

Consent is not required for essential cookies, the use of which is necessary for the provision of the telecommunications service within the Online Shop (data transmission for the display of content).

In addition to agreeing to the installation of cookies via the cookie banner, you should maintain appropriate browser settings that allow cookies from the Online Shop to be stored on your device.

Withdrawal of consent for the collection of cookies on the Online Shop is possible via the cookie banner. You can return to the banner by clicking on the button called "Manage cookies", which is available on every subpage of the Online Shop.

Once the banner is displayed, you can withdraw your consent by clicking on the "Manage cookies" button. You should then move the slider next to the selected cookie category and press the "Confirm my choices" button.

The user can verify the status of their current privacy settings for the browser used at any time using the tools available at the links below:

https://www.youronlinechoices.com/uk/your-ad-choices

https://optout.aboutads.info/?c=2&lang=EN

Changing your browser settings can restrict the use of both essential and optional cookies. However, we would like to inform you that this may significantly hinder or prevent you from using the Online Shop.

22. Changes to the Privacy Policy

We would like to inform you that in order to ensure the security of your personal data as well as up-to-date and transparent procedures and policies at WITTCHEN S.A., this document will be reviewed and amended on a regular basis in relation to changes in the generally applicable provisions of law and any measures taken to ensure appropriate protection of your Personal Data.

This Policy is effective as of 18-06-2025.