Annex III: Data Protection Policy (GDPR – EU)

This annex regulates the processing of personal data in accordance with Regulation (EU) 2016/679 of April 27, 2016 (GDPR) and Spanish Organic Law 3/2018, of December 5 (LOPDGDD), applicable to personal data provided by the User or collected by DeepThink in the context of the use of SWPANEL, in any of its versions (SaaS, Self-Hosted or mobile).

1.Data controller The data controller responsible for the processing of the User's personal data is: DeepThink Software SLu Calle Ponent 13-15, 17458 Fornells de la Selva, Girona, Spain Email: [email protected]

2.Purposes of the processing DeepThink will process the User's personal data for the following legitimate purposes: 2.1.To provide SWPANEL services, including user account management, authentication, technical support, billing, and maintenance of services. 2.2.To prevent fraud, ensure system security, monitor the proper use of the platform, and detect irregular or illegal activities. 2.3.To develop and improve SWPANEL's functionalities, evaluate the use of tools, and introduce improvements based on technical or statistical analysis (in an anonymized or aggregated form whenever possible). 2.4.To comply with legal and regulatory obligations applicable to DeepThink, such as accounting, tax, cybersecurity, and data protection regulations. 2.5.Send the User, where appropriate, electronic commercial communications or direct marketing relating to products or services of DeepThink or the Prime Partners group, always related to or compatible with the services contracted, based on their legitimate interest or consent, when required. 2.6.Share certain personal data with other companies in the Prime Quad Partners SL business group (hereinafter, "Prime Partners"), of which DeepThink is a member, for the following specific purposes: 2.6.1.To improve the commercial relationship and customer service. 2.6.2.To offer complementary or escalated technical support, when necessary. 2.6.3.To present products or services that are integrable, related, or complementary to SWPANEL that may be of interest to the User. 2.6.4.To guarantee the operational continuity of the service, inter-company assistance, and incident tracking, always under the principles of data minimization and confidentiality. These transfers of data between companies within the group are carried out on the basis of legitimate interest (Art. 6.1.f GDPR) and never involve incompatible, unreported or infringing purposes that violate the User's rights.

3.Legal basis for processing. The bases that legitimize DeepThink for the processing of the User's personal data are: 3.1.Execution of the contract: processing necessary for the provision of the services contracted by the User (art. 6.1.b GDPR). 3.2.Legal compliance: DeepThink's obligation to comply with applicable regulations (Art. 6.1.c GDPR). 3.3.Legitimate interest: to ensure security, quality of service, internal control, and continuous improvement, as well as communications about similar products or services of our own or those of the Prime Partners group (Art. 6.1.f GDPR). 3.4.Consent: in cases where required by law, such as in electronic communications where there is no prior contractual relationship or for the use of non-essential cookies (see Annex VII).

4.Transfer and disclosure of personal data 4.1.The User's personal data may be disclosed to third parties exclusively in the following cases: 4.1.1.To service providers contracted by DeepThink (e.g., payment platforms, hosting services, external technical support), under data processor contracts in accordance with Article 28 of the GDPR. 4.1.2.To administrative, fiscal, or judicial authorities when legally required. 4.1.3.To companies in the Prime Partners group, as indicated in section 2.6 of this annex, under inter-company contracts of shared responsibility or processing orders, depending on the purpose and nature of the exchange. 4.2.In the event of international transfers outside the European Economic Area (EEA), DeepThink will ensure compliance with the GDPR through: 4.2.a.Standard contractual clauses (SCCs) approved by the European Commission. 4.2.b.Binding corporate rules (BCRs). 4.2.c.Recognized adequacy mechanisms or, failing that, explicit consent of the data subject where necessary.

5.Rights of the data subject As the owner of their personal data, Users may exercise the rights recognized by the GDPR: 5.1.Access: to know what personal data is being processed and to obtain a copy. 5.2.Rectification: to correct errors or update inaccurate data. 5.3.Deletion (right to be forgotten): delete data when it is no longer necessary or there is a legal reason to do so. 5.4.Restriction of processing: temporarily suspend the use of data in certain circumstances. 5.5.Portability: receive your data in an interoperable format and transfer it to another controller. 5.6.Objection: refuse processing based on legitimate interest or for direct marketing purposes. Users may exercise these rights free of charge by contacting DeepThink via email at [email protected] You must identify yourself properly and indicate the right you wish to exercise. DeepThink may request additional information to verify the identity of the applicant. If you are a registered User, you can access, rectify, or delete part of your data directly from your private area in SWPANEL.

6.Data Protection Officer (DPO) DeepThink is not currently required to appoint a Data Protection Officer under the GDPR. However, it has a team responsible for privacy compliance, which handles queries or requests via email at [email protected] If a DPO is appointed in the future, Users will be duly informed.

7.Additional information and transparency DeepThink provides Users with the information required by Articles 13 and 14 of the GDPR at the time of data collection, whether in forms, registration processes, contracts, or contact. Any substantial change in the purposes of the processing or in the data shared will be notified to the User, and when legally required, their consent will be requested again.

8.Complaints to the Supervisory Authority Users have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) or another competent authority in their country of residence. However, DeepThink recommends resolving any incidents amicably by contacting its privacy department directly.