DATA PRIVACY POLICY OF WITTCHEN S.A.

1. General Provisions

The provisions of this privacy (hereinafter: „Privacy Policy”) define the legal basis for the processing and use of personal data by WITTCHEN S.A., having its registered office in Palmiry, ul. Gdańska 60, 05-152 Czosnów, NIP (Tax ID): 9511022154, REGON (Business ID): 011664266, KRS No.: 0000352760 (hereinafter: „WITTCHEN”). The Privacy Policy is an integral part of the Terms and Conditions of the WITTCHEN Online Shop. Before using the Online Store website, the Buyer should read this Privacy Policy.

WITTCHEN uses personal data for the purposes specified in this Privacy Policy as well as for other purposes, each time clearly defined in the Information Clauses presented to Customers.

The Controller takes special care to protect the interests of the data subjects whose data is processed by the Controller. The Controller collects and processes personal data:

• according to universally applicable laws;
• for the purposes strictly defined in this Privacy Policy as well as for other purposes, each time clearly defined in the Information Clauses;
• adequately for the fulfilment of purposes and obligations;
• according to the applicable retention periods, but no longer than necessary to ensure the performance of individual processes, rights and obligations, and according to the deadlines specified by law;
• according to the applicable data processing security standards; in particular, the Controller protects the data against unauthorised and unlawful processing, loss, damage, destruction or distortion by taking any necessary technical, organisational and procedural measures.

2. Definitions

Controller - WITTCHEN S.A. based in Palmiry, Gdańska 60, 05-152, Czosnów

Personal data - information about a natural person identified or identifiable by one or more specific factors determining the physical, physiological, genetic, mental, economic, cultural or social identity.

Information clause - means any information provided in the case of data collection by the Controller under Article 13 or 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Customer - i) a natural person, including a consumer (i.e. performing a legal transaction not directly related to his business or professional activity), who has legal capacity and / or is at least 13 years of age, and if this person fails to complete 18 years of age, the consent of its legal representative or legal guardian is required, as well as ii) a legal person and an organizational unit that is not a legal person, the specific provisions of which grant legal capacity, which uses or intends to use the Website, including the Online Store and / or in the cases described in the regulations of the Online Store.

GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free flow of such data and repealing Directive 95/46 / EC.

Processor - means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.

Profiling - means any form of automated processing of Personal Data. Profiling enables an individual, specific and customised offer to be attributed to a given Customer.

Processing - means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Pseudonymisation - means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject.

Online Shop - means the Controller’s online shop under the address www.wittchen.com which facilitates the electronic sale of WITTCHEN brand products.

Consent - of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

3. Data processing in connection with the use of the Online Shop

In connection with the user's use of the Online Shop, the Controller collects data to the extent necessary to provide individual services offered, as well as information about the user's activity in the Online Shop. The detailed rules and purposes of processing Personal Data collected while using the Online Shop by the user are described below.

4. Legal basis

All personal data is processed in compliance with Polish and EU laws, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

The Controller collects and processes personal data when:

• the data subject has given consent to data processing (for a specific purpose) according to Article 6(1)(a) GDPR;
• the data subject and WITTCHEN have concluded a contract (in particular, a sales or trade contract) or are taking steps aimed at concluding, terminating or performing the provisions of a contract or any other activities related to such contract, according to Article 6(1)(b) GDPR;
• processing is necessary for the Controller to fulfil a legal obligation according to Article 6(1)(c) GDPR;
• processing is necessary for the purposes of the legitimate interests pursued by WITTCHEN or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of Personal Data, in particular where the data subject is a child, according to Article 6(1)(f) GDPR;

The Controller processes Personal Data only based on the above legal basis. Specific examples (with legal basis) of the processing of Personal Data are provided in this Privacy Policy below in respect of a given purpose of data processing by the Controller. For example, if the Customer decides to make a purchase in the Online Shop and chooses to collect the purchased Product in person instead of opting for delivery by courier, their personal data will be processed in order to perform the concluded Sales Agreement, but they will not be made available to the carrier commissioned by the Controller to handle the shipment.

5. Controller's Contact Details

In order to contact the Controller to exercise your rights to personal data protection and obtain information in connection with the processing of personal data by WITTCHEN, please send your request:

• in writing to: Palmiry, ul. Gdańska 60, 05-152 Czosnów, with a note reading 'to the Controller';
• in electronic form to: ado@wittchen.com.

6. Display Of The WITTCHEN Website

Please be informed that when the WITTCHEN website under the address www.wittchen.com is displayed in available browsers, information is exchanged between your mobile device, computer or similar device, and WITTCHEN's servers. All information obtained in connection with displaying the website is used to ensure efficient functioning of IT processes on WITTCHEN's website or other processes in your browser. When the website www.wittchen.com is being displayed, your browser may send the following information: your IP address, time when the website was accessed and left, name and URL of the file being displayed, page or application from which the website was accessed. This data is sent to ensure security and stability as well as convenient and uninterrupted use of the Website. The above data is processed according to Article 6(1)(f) GDPR – for the above purposes.

The above data is stored only during your visit in the WITTCHEN Online Shop, and when you close the website they are automatically erased, unless you have purchased one or more products in the Online Shop. If you have purchased one or more products, your data may be stored for one year, for the duration of the contract, for the time resulting from tax and accounting laws, and for the time necessary for WITTCHEN to pursue any claims (in accordance with applicable law).

If you use our search engine to find stationary shops of the WITTCHEN brand (available at: https://www.wittchen.com/en-US/our-stores), your browser, based on Consent to disclose your geolocation data, can process such data in order to find the closest shop in your area. This type of data is not stored by WITTCHEN in any way and is automatically erased when the website is closed.

7. Purpose Of Data Processing

Each time, your Personal Data is Processed for a strictly defined purpose, according to a specific legal basis. Presented below is a description of selected operations related to the Processing of Personal Data:

8. Data Retention

Depending on the purpose and legal basis, we store your data for the following period of time:

• for the purpose of concluding performing a contract: we store your data for the duration of a contract (e.g. purchase and sale, trade and other contracts);
• for direct marketing: we store your data until an effective and legally justified objection has been expressed;
• for marketing purposes: we store your data until you have withdrawn your marketing Consent;
• for the purpose of exercising or defending claims: we store your data until the end of the limitation period for a claim (as prescribed by the law);
• for the purpose of examining a complaint or other notice: we store your data until the complaint has been examined, and for the limitation period of claims (depending on the case);
• for tax and accounting purposes: for the time prescribed by the law;
• for other purposes: we may store your data for other purposes for a strictly defined retention time (for a specific processing purpose), but each time we will inform you of your rights and obligations in Information Clauses as required.

We process Your data no longer is necessary to achieve a specific purpose or for a time prescribed by the applicable law. The Controller regularly verifies all databases and data media and erases unnecessary data, or such data is erased automatically.

9. Video Surveillance (Retail shops / Headquarters)

During your visit in WITTCHEN's official stationary shops (for a list of the shops, visit: (https://www.wittchen.com/en-US/our-stores) and at the Controller office, we process your data (image), which is recorded by means by video surveillance. The above data is obtained directly from you during your visit in WITTCHEN's stationary shops or during a business meeting with the Company's partners as well as job candidates (and in all other situation when an individual is present on the premises of WITTCHEN). The recorded data is processed in order to keep individuals safe and protect property, and to keep secret any confidential and business information on the premises. Your personal data will be processed for no longer than 90 days or until the end of proceedings in which the data serves as evidence in court, enforcement, mediation and other cases (in accordance with the law). The data recipients are our employees, associates and other authorised entities (public authorities and entities working with the Company under separate contracts). For details on the processing of data by means of video surveillance, see the Information Clauses available at WITTCHEN's official shops and at the reception area in the Controller's office.

10. Contact Form

The Controller ensures technical solutions for contacting it by using electronic form. Personal data of all persons using the electronic contact form (including among others: name, last name, phone number and e-mail address ) that are enabled in our website are processed by the Controller to identify, send and handle an inquiry sent by the user through the provided form–the legal basis for processing is the legitimate interest of the Controller.

Provision of data marked as mandatory is required by Controller to accept and handle a User inquiry. Failure to provide such information makes it impossible to handle an inquiry. Provision of other types of data is voluntary. The User may however provide these to facilitate contact with the Controller or the handling of his/her inquiry.

11. Marketing

The Controller processes personal data of Users to perform marketing activities. These may involve the sending of e-mail messages about interesting offers or contents, which in some cases may include commercial information (newsletter service). This newsletter service is provided by the Controller to the people who provided their e-mail address for this purpose.

Personal data of persons (including e-mail address) are processed by the Controller:

• to provide the newsletter sending service – the legal basis for processing is the consent expressed by the User via the acceptation of the relevant check-box for the receipt of newsletters;
• for analytical and statistical purposes - then the legal basis for processing consisting in conducting statistical analyses of the effectiveness of our marketing activities, is our legitimate interest in improving our marketing communications;
• in order to possibly establish and pursue claims or defend against claims - the legal basis for processing is the Controller's legitimate interest, consisting in the protection of its rights.

Provision of the aforementioned data is required by Controller to provide the marketing and newsletter service. Failure to provide such information makes it impossible for us to send Users marketing communications and/or provide the newsletter service.

12. Business Partners

These provisions also apply to individuals who have concluded a cooperation agreement with WITTCHEN, contact the company to enter into a partnership relationship or are in the process of negotiating a contract between the parties. The scope of the processed data depends on the individual case and nature of the contract. Data collected for the purposes of such contracts includes: given name, surname, position, address of residence, e-mail address, correspondence address, date and place of birth, citizenship, ID card number and series, specimen signature, KRS number, tax ID (NIP), statistical number (REGON) and payment data. The legal basis for data processing is Article 6(1)(b)and/or (f) GDPR. At WITTCHEN, this type of contracts can be accessed by departments which process and negotiate such contracts as well as by the legal and accounting departments and other departments with a legitimate interest, including other parties working with WITTCHEN (service providers and subcontractors), but they perform their activities only in the scope provided for in data processing agreements.

13. Contests

WITTCHEN organises many contests to promote the WITTCHEN brand. For contest details, see the respective contest's terms and conditions on WITTCHEN's website, and visit Facebook and Instagram. Unless the contest terms and conditions stipulate otherwise and if you have not given consent to data processing for another purpose not related to a contest, your data will only be used for the contest.

14. Social Media

WITTCHEN provides full information on new products, promotions or contests via social network sites (Facebook, Instagram, YouTube). Personal data of social media users are processed by the Controller in connection with keeping his profile on a particular website, in particular to promote events organized by the Controller (including contests), services, marketing campaigns and products sold by the Controller.

The Information Clause for the processing of your data in connection with the above-mentioned social networking sites, with detailed information on the protection of your Personal Data, is available on Facebook in the Notes tab.

Information on data processing in social media is available at:

• Facebook: https://www.facebook.com/policy.php,
• YouTube: https://policies.google.com/privacy?hl=pl&gl=pl,
• Instagram: https://www.facebook.com/help/instagram/155833707900388.

15. Data Recipients

In order to be able to ensure proper functioning of the Online Shop and perform any concluded Sales Agreements, the Controller uses services provided by third parties (e.g. software providers, couriers and payment processors). The Controller only uses services rendered by processors who provide sufficient guarantees to implement technical and organisational measures so that the processing meets the requirements of the GDPR and protects the rights of data subjects.

The Controller does not provide data in every case and to every recipient or category of recipients specified in the Privacy Policy. The Controller only transfers data when it is necessary to achieve a specific purpose of data processing and only to the extent necessary for such purpose. For example, if the Customer has chosen to collect a product in person, their data will not be transferred to any carrier used by the Controller.

Personal data may be transferred to the following recipients or categories of recipients:

• carriers/forwarders/courier brokers: if the Customer selects delivery by courier in the Online Shop, the Controller will transfer the Customer's personal data to a selected carrier, forwarder or intermediary commissioned by the Controller to handle the shipment, to the extent necessary to deliver the Product to the Customer;
• electronic or card payment processors: if the Customer selects electronic or card payment, the Controller will transfer the Customer's personal data to a selected entity commissioned by the Controller to process payments in the Online Shop, to the extent necessary to process the Customer's payments;
• entities performing audits (financial, legal or other audits) at the Controller's premises;
• entities that provide legal advice, participate in court, mediation, enforcement and other proceedings for and on behalf of the Controller as well as civil law notary offices or tax advisors;
• providers of information systems (IT, payment and other systems);
• authorities authorised under the law, in particular: offices (e.g. Tax Office, during a tax audit), the police, courts and other, as provided for in the respective act;
• other member companies of the Capital Group of Wittchen S.A.

16. Transfer Of Data Outside The European Economic Area

Your personal data processed by WITTCHEN is not transferred outside the European Economic Area (EEA).

17. Rights Of Data Subjects

In any case, every Customer has the following rights:

• right of access by the data subject: you have the right to access information on your personal data being processed by us (Article 15 GDPR);
• right to rectification: you have the right to update your data transferred to WITTCHEN (Article 16 GDPR);
• right to erasure 'right to be forgotten': you have the right to have your data erased if it has been processed unlawfully or is no longer necessary for the purposes for which it was collected (Article 17 GDPR);
• right to restriction of processing: you have the right to obtain restriction of data processing if the controller no longer needs the data for the purposes for which it was processed, the data is inaccurate or processed unlawfully (Article 18 GDPR);
• right to data portability: you have the right to transmit your data to another controller and to receive your data in a structured, commonly used and machine-readable format (Article 20 GDPR);
• right to withdraw consent: you have the right to withdraw your voluntary consent at any time, and the withdrawal of consent shall not affect the lawfulness of processing by the Controller based on consent before its withdrawal (Article 7(3) GDPR);
• right to object: you have the right to object when the processing of data is done for the purpose of legitimate interests pursued by the Controller or a third party, in particular processing for marketing purposes, including profiling, if there are no other valid, legitimate grounds for processing overriding the Customer's interests (Article 21 GDPR);
• right to lodge a complaint with the competent supervisory authority: the data subject whose data is being processed by the Controller has the right to lodge a complaint with the competent supervisory authority according to the procedure and mode set out in the provisions of the GDPR and the Polish law, in particular the Personal Data Protection Act. The competent supervisory authority in Poland is the President of the Personal Data Protection Office.

In order to exercise the rights referred to above, please contact the Controller in writing or by e-mail to the address provided in section 5 of the Privacy Policy.

18. Voluntary Provision Of Data

The provision of your data is always voluntary. To the extent specified in the Online Shop Terms and Conditions, the provision of your data may be required for the conclusion of an Agreement (e.g. a Purchase and Sale Agreement, an Agreement for the Provision of Services). When placing an order at www.wittchen.com you can provide your data without consenting to their processing for the purpose of receiving our newsletter, expressing an opinion on the purchase made, receiving e-mails about current promotions (marketing), receiving text messages (SMS) with your order's status. If you give Consent to the processing of your data for the above purposes, you may withdraw your Consent at any time using the contact details provided in section 5 of the Privacy Policy, but the withdrawal of Consent will not affect the lawfulness of data processing before its withdrawal.

19. Profiling

The Controller may use profiling in order to present an optimal and customised offer to its Customers and users being data subjects and if the data subject has given consent to the use of profiling.

Profiling in the Online Shop involves an automated analysis or forecast of an individual's behaviour on the Online Shop website, such as adding a Product to the cart, browsing a specific Product page, or analysing their history of purchases in the Online Shop. For the profiling to take place, the Controller is required to obtain consent from the data subject (e.g. to be able to send them a discount code). The effects of using profiling in the Online Shop may include, for example, granting a discount to a specific person, reminding them about unfinished purchases, suggesting a Product that may correspond to their interests or preferences, proposing better conditions compared to the standard offer of the Online Shop. Even when profiling is used, it is the Customer who will ultimately decide on whether to use from a discount or better conditions, or make a purchase in the Online Shop.

20. Cookies

Cookies are small text files installed on the device of the Customer browsing the Online Shop. Cookies collect information that facilitates the use of the website - e.g. by remembering the user's visits in the Online Shop and the activities performed by the user. A detailed description of the cookies used on the website is available in the cookie management tool (link available at the bottom part of the website under "Manage cookies"). Below is a general description of the categories of these tools that we use on the Online Shop.

• Essential cookies - the Controller uses the so-called necessary cookies primarily to provide the user with services provided electronically and to improve the quality of these services. Our use of essential cookies is necessary for the proper functioning of the website. These files are installed in particular for the purpose of remembering login sessions or filling in forms, as well as for the purposes related to setting the privacy options.
• Analytical cookies - analytical cookies make it possible to check the number of visits and traffic sources on our website. They help us find out which pages are more and less popular and understand how users navigate the page. This allows us to study statistics and improve the performance of our Online Shop. The information these cookies collect is aggregated so it is not intended to identify you. If You do not allow these cookies, we will not know when You visited our website.
• Functional cookies - functional cookies remember and adapt the Online Shop to the user’s choices, such as language preferences. If you do not allow these cookies, we will not be able to analyse Your choices and adapt the website accordingly.
• Marketing - advertising cookies - marketing and advertising cookies allow you to adjust the displayed advertising content to your interests, not only on the Online Shop, but also outside it. They can be installed by advertising partners through our website. Based on the information from these cookies and activity on other websites, Your interest profile is built. Marketing and advertising cookies do not directly store your personal data, but identify your internet browser and hardware. If You do not allow these cookies, we will still be able to show you advertisements, but they will not be tailored to your preferences.

The WITTCHEN online shop located at www.wittchen.com uses cookies listed on the "CookiePro" platform ensuring transparency and user control over cookies (including in the scope of storing information on the scope of the user's consent to the cookies used for a given domain) used in the Online Shop (data is deleted after the time specified in the tool or until the consent of the Online Shop user is withdrawn, or at another time in accordance with the data provided via theCookiePro panel). The website www.wittchen.com uses CookiePro technology, i.e. the CookiePro consent management platform ensuring transparency and user control over the cookies used in the Online Shop.

This tool provides functionalities such as:

• view that allows the user to choose their preferences regarding the use of cookies, divided into the following categories: (i) performance cookies, (ii) functional cookies, (iii) cookies related to advertising and their recipients,
• view that allows the user to verify strictly necessary cookies, ie cookies necessary for the proper functioning of WITTCHEN website.

In addition, WITTCHEN's website also uses Third-Party Cookies (third party cookies), which are used for collecting statistical data and data for verifying the use of websites by the users, as well as to personalize marketing messages (e.g. by providing tailored advertising based on user activity or retargeting, i.e. providing the Customer with specific advertisements on other websites on the Internet)

Google Analyticsis used for the above purposes. It is a widely available tool for analysing the use of websites and preparing reports on user activity. Google Analytics generates information on the URL, type of browser used by the user, their IP address and operating system used. The tool determines the data on the number of server visits and their length, and collects data on which parts of the website are most often used by users (by analysing their functionality). Having analysed the collected data, it is possible to determine the performance and usefulness of WITTCHEN's websites and their parts, driving the development of new services and functionalities.

For details on Google Analytics, visit: https://developers.google.com/analytics/devguides/collection/gajs/cookie-usage.

By default, your web browser allows files to be stored on your end devices, which enables the processing of data obtained in this way.

Users can change their Cookie settings at any time, specifying the conditions for storage and access to their end devices by Cookies. To change the settings referred to in the previous sentence, the User can use the browser settings or the service configuration. Presented below are links to web browsers (information on how to change browser settings on your end devices):

• Chrome
  (https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DDesktop&hl=pl)
• Internet Explorer
  (https://support.microsoft.com/pl-pl/help/278835/how-to-delete-cookie-files-in-internet-explorer)
• Firefox
  (https://support.mozilla.org/pl/kb/usuwanie-ciasteczek-i-danych-stron-firefox?redirectlocale=pl&redirectslug=usuwanie-ciasteczek)
• Opera
  (https://help.opera.com/pl/latest/web-preferences/#cookies)
• Microsoft Edge
  (https://support.microsoft.com/pl-pl/help/10607/microsoft-edge-view-delete-browser-history)
• Safari
  (https://support.apple.com/pl-pl/guide/safari/sfri11471/mac)

These settings can be changed, in particular, in such a way so as to block the automatic handling of cookies in the browser settings or to receive a prompt each time when cookies are saved on the user's device. Restricting the use of Cookies may affect certain functionalities available on WITTCHEN's website. Details on the options and modes of handling Cookies can be found in the software (browser) settings.

The use of cookies to collect data through them, including access to data stored on the user's device, requires Your consent. The Online Shop receives consent from the user via the cookie banner. This consent may be withdrawn at any time according to the rules described below.

Consent is not required for the necessary cookies, the use of which is necessary to provide a telecommunications service as part of the Online Shop (data transmission to display content).

In addition to consenting to the installation of cookies via the cookie banner, you should keep the appropriate browser settings, allowing you to store cookies from the Online Shop on your end device.

Withdrawal of consent to the collection of cookies in the Online Shop is possible via the cookie banner. You can return to the banner by clicking on the 'Manage cookies' button which is available on every subpage of the Online Shop.

After the banner is displayed, you can withdraw your consent by clicking the 'Manage cookies' button. Then you should move the slider next to the selected cookie category and press the "Confirmation of my choices" button.

The user may at any time verify the status of his current privacy settings for the browser used using the tools available at the following links:

https://www.youronlinechoices.com/pl/twojewybory

https://optout.aboutads.info/?c=2&lang=EN

Changing your browser settings may restrict the use of both essential and optional cookies. Please be advised, however, that this may significantly hinder or prevent the use of the Online Shop.

21. Changes To The Privacy Policy

Please be advised that in order to ensure security of your personal data as well as up-to-date and transparent procedures and policies at WITTCHEN S.A., this document will be regularly reviewed and changed in connection with changes in universally applicable laws and any measures taken to ensure appropriate protection of your Personal Data.

This Policy takes effect as of 25/02/2022.

The privacy policy valid up to and including February 24, 2022 can be found here.