ATEMIS LTD (Bulgarian legal form: „АТЕМИС“ ЕООД) (Notice regarding the processing of personal data) Personal data controller: 1. Name: „ATEMIS“ Ltd (EOOD) 2. UIC: 130929244 3. Registered office and address of management: Bulgaria, Sofia (1408), Triaditsa district, Strelbishte residential area, Nishava str., 113 4. Phone: +359 88 577 3839 5. Email: contact@nfconnections.com 6. Website: https://www.nfconnections.com/ ATEMIS Ltd (the „Company“ or the „Controller“) carries out its activities in accordance with the Bulgarian Personal Data Protection Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (the „General Data Protection Regulation“ or the „GDPR“). This Privacy Policy (the „Policy“) aims to inform every Client (as defined below) of the Company about the processing of data by which the specific Client is identified or can be identified. For the purposes of the Policy, „Client“ means any natural person who is party to a contract with the Company for the sale of goods, as well as any natural person who has expressed a willingness to enter into pre-contractual relations with the Controller and/or a user of the NFConnections online store accessible on the Internet at https://www.nfconnections.com/, as well as a director, manager, representative, proxy, employee, partner, shareholder, beneficial owner of a legal entity or other legal formation using the online store.

As a controller, the Company processes the following groups of Clients‘ personal data: • Physical identity – name, address, telephone, email address; • Economic identity – information on bank account number. Personal data is collected by the Controller from the data subjects themselves.

We collect personal data: • during registration on the online store website and when using the online store without registration; • when communicating with the Client, which may include written communication (including electronic) and oral communication; • through „cookies“ when using or browsing our website. In some cases we may also collect information from third parties or public sources. Our website collects data in log files. This information includes your IP address, Internet service provider, browser used, operating system, when you visited our website, and pages visited. Our website uses „cookies“. Cookies are small information files that the website sends to the visitor‘s browser. The browser stores this information in a text file on the user‘s end device. They help our website work better for you. For more information on cookies, please see our Cookie Policy published on the online store website: https://www.nfconnections.com/en/cookies

The Company does not process special categories of personal data relating to Clients.

The Company processes Clients‘ personal data for the following purposes: • providing information and assistance you have requested from us; • identification and contact with clients and beneficial owners; • all activities related to the existence, modification and termination of the relationship between the Company and the Client; • offering and promoting additional services; • complying with regulatory requirements; • legal defence in the event of a dispute and cooperation with regulators to the extent required by law. If we do not process this personal data, we may be unable to provide our services or the assistance you have requested.

Clients‘ personal data is collected, processed and used on several legal bases: • Performance of a contract or steps prior to entering into a contract; • Compliance with a legal obligation applicable to the Company; • Legitimate interests pursued by the Company or a third party, where such interests are not overridden by the interests or rights of data subjects – including resolving disputes; preventing, detecting and investigating fraud, breaches or other unlawful conduct; establishing, exercising or defending legal claims; • Consent, where required by applicable law.

The Company retains personal data for the duration of the contractual relationship and until settlement of claims under the contract, and for a subsequent transitional period (e.g. to meet archiving and accounting record obligations). If court or other proceedings are initiated, personal data may be retained until the end of such proceedings, including any appeal periods, and will then be erased or archived as permitted by applicable law. In particular, accounting and tax records containing personal data are retained for 10 years from 1 January of the reporting period following the period to which they relate. Where your personal data is processed on the basis of your consent, we will process it only as long as we have your consent to do so.

The Company may, at its discretion, transfer part or all personal data to processors for the purposes of processing, in compliance with the GDPR. The Company shares personal data with: • third-party service providers engaged by us to perform functions or activities on our behalf; • third parties: regulators, tax and financial authorities, judicial, administrative and law enforcement authorities, all in accordance with applicable law. This list is not exhaustive and other lawful grounds for storing, disclosing or otherwise processing your personal data may apply. The Company informs the data subject if it intends to transfer part or all of their personal data to third countries or international organisations.

The Company implements and maintains appropriate technical and organisational measures to protect personal data against unauthorised access or unlawful use and/or against accidental loss, alteration, disclosure, access and/or damage or copying. These measures are intended to ensure lasting confidentiality and security of personal data. The Company regularly reassesses these measures with a view to maintaining ongoing security of personal data.

The Company does not perform automated decision-making based on personal data.

When paying by bank card, your card details are entered directly into the secure system of our payment partner Stripe/Stripe.com. We do not have access to your full card number, CVV or PIN. Processing of this data follows the security rules of the relevant financial institution and PCI-DSS standards.

To maximise protection when exchanging information and processing card transactions, our website uses SSL (Secure Sockets Layer) technology. All data transmitted between your browser and our servers is encrypted using a high-assurance SSL certificate provided and managed by our infrastructure partner Vercel Inc. What this means for you: Transaction encryption: All payment-related information is transformed into unreadable form (via TLS 1.2/1.3 security protocols) so that third parties cannot intercept or read it in transit to the payment terminal. Server authentication: The certificate ensures communication is with our legitimate website, not a forged copy. Data integrity: SSL helps ensure your data (names, addresses, payment parameters) has not been tampered with in transit. In line with Vercel Security practices, we maintain automatically renewed certificates from trusted Certificate Authorities, supporting continuous protected connection.

Each Client may exercise the rights below by written notice to the Company. • Withdrawal of consent Where processing is based on the Client‘s consent, the Client may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal. • Right of access Each Client has the right to obtain confirmation from the Company whether personal data concerning them is being processed. This includes the right of access, the right to obtain a free copy of the data (except in cases of excessive or repeated requests), unless otherwise provided by applicable data protection rules, and the right to receive core information about the processing. The Company provides a free copy of personal data undergoing processing but may charge an administrative fee in cases of repetitive or excessive requests. • Right to rectification Each Client has the right to rectify, or request the Company to rectify without undue delay, inaccurate, incomplete or outdated personal data relating to them. • Right to erasure („right to be forgotten“) Each Client may request erasure of personal data relating to them without undue delay where one of the following applies: (i) the data is no longer necessary for the purposes for which it was collected or otherwise processed; (ii) the Client withdraws consent on which processing relies and there is no other legal basis; (iii) the Client objects as described below; (iv) the data has been processed unlawfully; or (v) erasure is required to comply with a legal obligation under EU or Member State law or other applicable law; (vi) the data was collected in connection with information society services offered to children. The Company may refuse erasure where processing is necessary: (i) for freedom of expression and information; (ii) for compliance with a legal obligation or performance of a task in the public interest or exercise of official authority; (iii) for public health reasons; (iv) for archiving, research or statistical purposes in the public interest; (v) for establishing, exercising or defending legal claims. • Right to restriction Each Client may obtain restriction of processing where: (i) they contest accuracy (restriction for a period allowing verification); (ii) processing is unlawful but the Client prefers restriction to erasure; (iii) the Company no longer needs the data but the Client needs it for legal claims; (iv) the Client has objected and the Company is verifying whether its legitimate grounds override those of the Client. • Right to object Each Client has the right to object at any time, on grounds relating to their situation, to processing concerning them. For processing based on the Company‘s legitimate interests, the Company will cease processing unless it demonstrates compelling legitimate grounds overriding the Client‘s interests. • Right to data portability Including: (i) receive data in a structured, commonly used, machine-readable format to transmit to another controller; or (ii) direct transmission where technically feasible. • Right to lodge a complaint Each Client may lodge a complaint with the Commission for Personal Data Protection (CPDP), the competent supervisory authority. Commission for Personal Data Protection Address: Sofia, p.k. 1592, „Prof. Tsvetan Lazarov“ str. No. 2, tel. (02) 91 53 519, fax: (02) 91 53 525 email: kzld@cpdp.bg website: www.cpdp.bg

If there is a material change in how the Company processes Clients‘ personal data and/or the categories of data processed and/or any other aspect of this notice, the Company will notify Clients promptly and provide an updated version of the notice.