Privacy Statement

Part A: Summary of our Privacy Statement

CERRIX BV processes different categories of personal data depending on how you use our Website, how you interact with us and on which data you choose to share with us.

In general, if we process your personal data, it will be personal data of one of the categories listed below:

- Identification and contact details (such as first and last name, phone number, address, email address, etc.);

- Professional details (such as profession, company you work for, company location and address, job title, company registration and VAT number, etc.);

- Technical information (such as information about your computer, mobile and other devices, including your IP- address, operating system, browser type, etc.);

- Usage information (such as information regarding your usage of our Website (such as, history, logs, date, time, location, frequency, duration of the pages you have viewed, consent preferences, information regarding consent(s) given by you (such as, the date and time of your consent) etc.);

- Any other categories of personal data as identified below under section 3.

Personal data is either collected by us or provided to us by you.

CERRIX does not share your personal data with third parties other than for operating the Website, unless it is obliged to do so or to a limited extent with its service providers who provide the necessary guarantees. We do not sell any personal data to third parties.

Privacy legislation grants data subjects, within certain conditions, all kinds of rights (right to access, right to erasure, right to restriction, etc.). CERRIX wants to facilitate the exercise of your rights by allowing to easily contact CERRIX to this end. CERRIX will promptly follow up on any questions and has provided a central point of contact and streamlined process for all privacy questions.

‍

Part B: Contact details and information about this Privacy Statement

1. About Us‍

1.1. The Website is operated by CERRIX BV, with registered office at Jan Pietersz. Coenstraat 7, 2595 WP The Hague, The Netherlands and with company and VAT number NL854381351B01.

1.2. Any questions or comments can be sent by post to foregoing address or by e-mail to info@CERRIX.com. All questions regarding privacy or processing of personal data will be directed to our central point of contact for this purpose. CERRIX will do its utmost best to answer any question or concern as soon as possible, and always within the boundaries of applicable laws.

2. Information about this Privacy Statement

2.1. This Privacy Statement informs you about how CERRIX collects and processes personal data in the course of our (client) relationship with you (as applicable) and/or when you use our Website. Privacy and the protection of personal data are of utmost importance to CERRIX. CERRIX at all times endeavors to respect the European General Data Protection Regulation 2016/679 of 27 April 2016 (also referred to as the “GDPR” ).

2.2. This Privacy Statement describes CERRIX’ processing activities as a data controller. Please note that if you are a user of the CERRIX platform, CERRIX acts as a so-called “data processor” on the instruction of its customer (of who you will typically be an employee or contractor). Such instructions are set out in a written data processing agreement between CERRIX and its customer. These processing activities do not fall within the scope of the present Privacy Statement. In such event, the customer remains responsible for properly informing the data subjects concerned and

to obtain all necessary consents and approvals where necessary, in order to make full and legally compliant use of the CERRIX’ platform and services.

2.3. By visiting the Website, you confirm to have read and understood this Privacy Statement. On some occasions, you may also be asked to explicitly give your consent. In doing so, you agree that checking a box counts as an informed, specific, free and full consent such as a signature to agree to contractual documents.

2.4. CERRIX may amend this Privacy Statement from time to time. When using the Website, the latest version of the Privacy Statement will always apply. If required pursuant to applicable law, CERRIX will inform you of modifications to this Privacy Statement in an appropriate manner. The latest revision date can always be found at the bottom of the document.

‍

Part C: What data do we process from our Users and Website visitors, on what legal basis and for what purposes?

3. What data do we collect from you, and for what purposes is this data used?

Dependent on how you use the Website or otherwise interact with us, different types of information are collected and these are used for different purposes. Below, an overview of these processing activities can be found as well as the legal basis for the processing of these data.

For certain processing purposes, CERRIX requires your consent. The consent you give is always free and you have the right to withdraw it at any time. You can withdraw your consent by sending an email to privacy@CERRIX.com. Your withdrawal of consent does not affect the processing of personal data prior to such withdrawal or our processing activities which are based on any other legal basis.

Of course, the relevant data will only be processed when falling within one or the other category, and also only if making use of certain functions as described below.

‍

Part D: How do we share your data?

4. What data do we share with third parties?

CERRIX wants to protect privacy as much as possible. To that end, CERRIX will limit the sharing of data with third parties to a minimum as follows.

4.1. As a general rule, CERRIX never transfers personal data obtained to third parties other than as stipulated in this Privacy Statement as follows:

(a) With competent authorities who are authorised to request such information or to whom we have to disclose information, or when required by law or as a result of legal proceedings or court proceedings;

(b) In addition, CERRIX may disclose data if CERRIX determines that such disclosure is reasonably necessary to enforce the Terms or to protect its business or other Website visitors;

(c) CERRIX may share data with third-party service providers acting as "processors" on behalf of our company – in this case, CERRIX will always ensure that it has the necessary (contractual) guarantees that the service provider in question has taken appropriate measures with regard to privacy (including any transfer of data to countries outside the European Economic Area);

(d) At your request, e.g. when using products or services that requires CERRIX to share data with third parties;

(e) With companies within our corporate group, when this is necessary for the performance of the contract (e.g. customer management) or to fulfil a specific request;

(f) Furthermore, you acknowledge that CERRIX may at any time transfer or share personal data in the event of a reorganisation and/or restructuring of its business (e.g. in the event of a takeover, branch demerger, merger, split-off, investment, etc.). CERRIX does not require the consent of you for this, but will take reasonable efforts to inform them of such an event. In this case, CERRIX will also ensure that the acquirer or partner takes appropriate privacy measures to protect privacy rights as best as possible.

4.2. CERRIX generally does not intend to transfer personal data to other third persons or to countries outside the European Economic Area; however, should this occur, please refer to clause 4.1(c) above and CERRIX will ensure that appropriate and suitable safeguards are put in place. In that case a copy of those safeguards can always be obtained by writing to CERRIX using the contact details set out in section 1 above.

Part E: Protection, integrity and retention of personal data

5. Protection of personal data‍

5.1. CERRIX takes the security of personal data very seriously. CERRIX protects personal data during transmission and at rest by taking appropriate technical and organizational security measures to ensure a level of security in accordance with applicable data protection laws. If personal data is held on company premises, CERRIX uses computer systems with limited access in locations with physical security measures. Please contact us if you would like more information on the specific measures taken by sending an email to: privacy@CERRIX.com.

5.2. Despite the above measures taken by us, you should be aware that there are always risks associated with sending personal data over the internet. The security and protection of your personal data can never be fully guaranteed, nor can we guarantee that unauthorized third parties will never be able to defeat those measures or use your personal data for improper purposes.

Part F: Data subject rights and obligations

6. Your rights

6.1. Privacy legislation sets out a number of rights which a data subject can exercise under certain circumstances and conditions.

More specifically this concerns the rights which are described below, and which are further detailed in the relevant article of the GDPR.

(a) Right of access: as a data subject, you have the right to obtain from us a confirmation as to whether or not personal data concerning you are being processed and, where that is the case, to obtain access to that personal data and to accompanying information such as the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients of the personal data, the period for which the personal data are expected to be stored, your rights, any available information on the source of the data, and the existence of automated decision-making and meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject. This right is further described in Article 15 of the GDPR;

(b) Right to rectification: as a data subject, you have the right to obtain from the controller (i.e. CERRIX), without undue delay, the rectification of inaccurate personal data concerning you. Subject to the purposes of the processing, as a data subject you have the right to have incomplete personal data completed, including by means of providing a supplementary statement. This right is described in Article 16 of the GDPR;

(c) Right to erasure: as a data subject, you have the right to obtain from the controller (i.e. CERRIX) the erasure of personal data concerning you and we are obliged to erase personal data when, among other things, the personal data is no longer necessary in relation to the purposes, you withdraw your consent, you object to the processing in certain circumstances, the personal data has been processed unlawfully, etc. However, this right is subject to limitations, although we will always act in line with the law. This right is further described in Article 17 of the GDPR;

(d) Restriction of processing: as a data subject, you have the right, within the limits set out in law, to obtain from the controller (i.e. CERRIX) the restriction of processing where one of the following applies: (a) the accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy of the personal data, (b) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead, (c) we no longer need the personal data for the purposes of the processing, but you need it for the establishment, exercise or defence of legal claims, (d) you have objected to the processing, pending the verification whether our legitimate grounds override those of the data subject. This right is further described in Article 18 of the GDPR;

(e) Right to object: as a data subject, you have the right to object at any time, on grounds relating to your particular situation, to processing of personal data concerning you on the basis of our legitimate interests. This right may be exercised under the conditions laid down by law. When your personal data are processed for the purposes of direct marketing, you have the right to object at any time to the processing of personal data concerning you for such marketing. This right is further described in Article 21 of the GDPR;

(f) Right to data portability: as a data subject, you have the right to receive the personal data relating to you, which you have provided to us as a controller, in a structured, commonly used and machine-readable format, and you have the right to transmit such data to another controller, without hindrance from the data controller to whom the personal data have been provided, and this under the conditions set out in law (the processing is based on consent or on a contract, and the processing is carried out by automated processes). This right is further described in Article 20 of the GDPR.

6.2. Our company and its employees take all questions regarding privacy seriously and will deal with them promptly. In order to streamline this process, we ask any data subject to email us at info@CERRIX.com when you request to exercise your rights. You may also contact us in any other way. However, we reserve the right to verify the identity of the requesting party, as we obviously need to protect the privacy of third parties as well.

6.3. In certain cases, we may refuse requests or may first investigate further and/or request the necessary additional information, for example if these requests are very unclear or suspicious, endanger the privacy of others, are extremely impractical, etc. In doing so, we will always act in line with applicable legislation.

6.4. It is important to note that for those cases where we process your personal data on the basis of your consent (see those cases under section 3 above), you have the right to withdraw your consent at any time, without affecting the lawfulness of the processing based on consent before the withdrawal.

6.5. The exercise of these rights is in principle free of charge. Only in the event of unreasonable or repeated requests, we may charge a reasonable administrative fee. Rivero will inform you of the applicable fee before charging it. If you contact us to exercise your rights we will respond within one month. Exceptionally this may take longer (up to three months), but then we will inform you within one month of the reasons why.

7. What if you do want to file a complaint

7.1. If you have any complaints or questions, we of course always prefer to try and find a solution first. We will do our utmost best to achieve this.

In any event, you have the right to lodge a complaint with a supervisory authority at any time. In The Netherlands, the supervisory authority is the Dutch Data Protection Authority or Gegevensbeschermingsautoriteit (see www.autoriteitpersoonsgegevens.nl; address: Autoriteit Persoonsgegevens; Postbus 93374; 2509 AJ Den Haag)

8. Your obligation

8.1. The data you share with us must be accurate and complete. If this is not the case, CERRIX reserves the right to take any other measures CERRIX deems appropriate. Furthermore, you expressly confirm that you have obtained all necessary rights and consents to provide us with the information you send us, and you shall indemnify us for any damages resulting from any non- compliance with this obligation.

9. Liability

If CERRIXCERRIX has lawfully provided your personal data to a third party (other than a subprocessor), it will not be liable for the unlawful processing or use by that third party.

CERRIXCERRIX is in any case only liable for the damage caused by the processing of personal data if it did not comply with its specific obligations under the applicable data protection laws and our liability shall not exceed an amount equal to the amounts actually paid out by our insurer for the damage causing event. CERRIXCERRIX shall in no event be liable for any special, incidental, indirect or consequential losses or damages.

You agree, to the maximum extent permitted under applicable law, not to hold CERRIXCERRIX’ directors, contractors, subcontractors, representatives, appointees, lawyers, employees, and other auxiliary persons personally or directly liable for or in connection with the processing activities of CERRIXCERRIX. Any (liability) claim for or in connection with the processing of your personal data (including any extra-contractual claim) will (may) be brought exclusively against CERRIX.

The foregoing exclusions and limitations shall only apply to the maximum extent permitted by applicable law.

Part G: Do you still have questions?

10. Further questions?

Let us know:

(a) By post to CERRIX BV, Jan Pietersz. Coenstraat 7, 2595 WP The Hague, The Netherlands

(b) By e-mail to info@cerrix.com

All questions concerning privacy or your personal data are handled by our central point of contact.

CERRIX BV - Last revised on September 2nd, 2025

‍

‍