[ EN | PL]

EFFECTIVE AS OF March 30th, 2026.

SpotOn Poland PRIVACY AND COOKIES POLICY.

This Privacy and Cookies Policy (the "Policy") is provided to fulfil the Controller's obligations under Regulation (EU) 2016/679 (General Data Protection Regulation – "GDPR") and explains how personal data are collected, used, and protected in connection with the use of the website available at https://pl.spoton.com (the "Website").

If you have any questions about the processing of your personal data, you can direct them to the following email address: poland-rodo@spoton.com.

I. POLICY PROVISIONS

The purpose of the Policy is:

• a) to present the rules of processing of personal data by the Controller within the Website, and through its provision to provide data subjects with the necessary information on the processing of their personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: "GDPR");
• b) to explain your rights in relation to the personal data processed by the Controller and the way in which they are protected;
• c) to provide information on the cookies used within Website and the rules of their acceptance.

II. GENERAL INFORMATION

1. The Controller of your personal data is

   SPOTON POLAND spółka z ograniczoną odpowiedzialnością with its registered seat in Kraków (Aleja 29 Listopada 20, 31-401 Kraków), entered in the Register of Entrepreneurs of the National Court Register kept by the District Court for Kraków Śródmieście in Kraków, XI Commercial Division of the National Court Register under KRS number 0000807479, NIP 6762572293, REGON 384561488, email address: poland-rodo@spoton.com, phone number: +48 739971460 (the charge as for a standard call - according to the price list of the relevant operator) (hereinafter: the "Controller");

2. The Controller has not appointed a Data Protection Officer. A contact person for privacy matters is available at the e-mail: poland-rodo@spoton.com.
3. The Controller shall ensure that it takes special care to protect the interests of data subjects, and in particular declares that:
   • a) processes personal data lawfully, fairly and in a transparent manner for data subjects;
   • b) collects personal data for specified, explicit and legitimate purposes and does not process them further in a way incompatible with those purposes;
   • c) personal data are adequate, relevant and limited to what is necessary for the purposes for which they are processed;
   • d) personal data are correct and updated when necessary;
   • e) keeps personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed;
   • f) processes personal data in a manner which ensures appropriate security, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, by means of appropriate technical or organisational measures.
4. Providing your personal data is voluntary but necessary for the purposes indicated in point III below.

III. PURPOSE AND LEGAL BASIS OF PROCESSING

Your personal data may be processed for different purposes and on different legal bases depending on which functionalities within Service you use.

1. USING WEBSITE As part of your visit to the Website and your activities on the Website, the Controller may process your personal data (including but not limited to the IP address of the device you are using) for the following purposes:
   • a) fulfilment of legal obligations to which the Controller is subject - legal basis: Article 6(1)(c) of GDPR - processing is necessary for compliance with a legal obligation to which the Controller is subject;
   • b) to enable use of the Website, to conduct marketing, analytical and statistical activities and to ensure security of the Website - legal basis: Article 6 (1)(f) GDPR - legitimate interest pursued by the Controller;
   • c) establishment, exercise or defence of possible claims - legal basis: Article 6(1)(f) GDPR - legitimate interest pursued by the Controller.
2. RECRUITMENT PROCESS
   In connection with the Controller's recruitment processes, the Controller may process the personal data you provide (e.g. personal data provided in your CV), for the following purposes:
   • a) for the purpose of conducting the current recruitment process, limited to the personal data required by law, in particular under Article 22¹ of the Labour Code, in accordance with Article 6(1)(c) of the GDPR
   • b) to the extent of additional data provided voluntarily – pursuant to Article 6(1)(a) of the GDPR (consent);
   • c) in the case of recruitment based on civil law contracts – pursuant to Article 6(1)(b) of the GDPR (performance of a contract);
   • d) for the purposes of future recruitment processes, if the candidate has given consent – pursuant to Article 6(1)(a) of the GDPR (consent);
   • e) for the establishment, exercise, or defense of legal claims – pursuant to Article 6(1)(f) of the GDPR (legitimate interests).

   2.1 RECRUITMENT SYSTEMS AND ASHBY

   Recruitment processes are conducted using electronic recruitment systems, including tools provided by Ashby, Inc., which operates an applicant tracking system (ATS).

   In this context:

   • • the Controller acts as the data controller;
   • • Ashby, Inc. acts as a data processor within the meaning of Article 4(8) GDPR, processing personal data solely on the Controller's behalf and on the basis of a data processing agreement compliant with Article 28 GDPR.

   Ashby does not independently determine the purposes or means of processing personal data.

   As part of recruitment conducted via electronic systems, the Controller may also process recruitment-related communications, interview notes, assessments, and technical metadata. Interview recordings or transcripts are used only where applicable and only after prior information is provided to candidates.

   2.2 DATA ACCESS, CORRECTION AND DELETION REQUEST (DARs)

   Candidates have the right to request access to, correction of, or deletion of their personal data. Such requests should be submitted via email to poland-rodo@spoton.com.

   Where the Controller does not have direct technical access to delete personal data stored in Ashby's systems, the Controller reserves the right to enforce the removal of personal data by requesting Ashby to delete the data on the Controller's behalf. Candidates will be informed of the actions taken regarding their requests.

3. CONTACT FORM
   The personal data you provide in connection with submitting an request via the contact form may be processed by the Controller for the following purposes:
   • a) fulfilment of legal obligations to which the Controller is subject - legal basis: Article 6(1)(c) of GDPR - processing is necessary for compliance with a legal obligation to which the Controller is subject;
   • b) handling your request and providing answers, conducting marketing, analytical and statistical activities - legal basis: Article 6(1)(f) GDPR - legitimate interests pursued by the Controller;
   • c) establishment, exercise or defence of possible claims - legal basis: Article 6(1)(f) GDPR - legitimate interest pursued by the Controller.
4. PROCESSING PERIOD
   Your personal data may be processed for the following periods, depending on the purpose of processing:
   • a) in connection with the use of the Website – for the duration of your session or in accordance with the retention periods resulting from cookie settings;
   • b) in connection with recruitment processes – for the duration of the recruitment process and, thereafter, for the period necessary to establish, exercise or defend legal claims; in the case of candidates who have given separate consent for participation in future recruitment processes – for a period not exceeding 24 months or until the consent is withdrawn, whichever occurs first;
   • c) in connection with submitting an enquiry via the contact form – for the duration of the correspondence and thereafter for the period necessary to protect against potential claims;
   • d) for marketing and analytical purposes – until the consent is withdrawn; in the case of processing based on legitimate interest – until an effective objection is raised;
   • e) for the establishment, exercise or defense of possible legal claims – until the expiry of the limitation periods provided by applicable law;
   • f) for the performance of legal obligations to which the Controller is subject – for the period required by the applicable law.

   Where personal data are processed for more than one purpose, they may be retained until the expiry of the retention period applicable to the specific purpose justifying the longest lawful processing.

   If your personal data are processed on the basis of consent, you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to its withdrawal.

5. DATA RECIPIENTS
   1. The Controller may make your personal data available to third parties with whom it cooperates or will cooperate in connection with running the Website. These may be entities that technically assist the Controller in running the Website, e.g. providers of hosting or telecom services. Moreover, personal data may also be made available to entities that provide support in communication with clients, execution of marketing campaigns and conducting recruitment processes, as well as providers of legal, accounting and advisory services.
   2. The Controller endeavors to ensure that third parties to whom personal data is shared within the Website are required to apply appropriate measures to ensure the security and protection of your personal data. Your personal data may also be provided to other companies within the capital group to which the Controller belongs.
   3. Your personal data are generally processed within the European Economic Area ("EEA"). However, in the event that the Controller engages in cooperation with third parties (including Ashby) with regard to the operation of the Website, your personal data may be transferred to a country outside the EEA where the entity cooperating with the Controller maintains personal data processing tools in cooperation with the Controller. In such a situation, the transfer of data will take place only to the extent necessary, connected with the provision of services by those entities to the Controller.
   4. In case of transfer of personal data to entities established outside the EEA, the Controller shall ensure that the requirements set out in Chapter 5 of the GDPR are applied, including the use of appropriate safeguards for the transfer in the form of standard data protection clauses adopted by the European Commission. You have the opportunity to obtain a copy of the safeguards for personal data transferred outside the EEA by contacting the Controller at: poland-rodo@spoton.com.
6. RIGHTS OF DATA SUBJECTS
   In relation to the processing of your personal data, as a data subject, you have the right to:
   • a) access to your personal data (including e.g. to receive information on which personal data are processed)
   • b) erasure of personal data (e.g. if it has been processed unlawfully);
   • c) rectify inaccurate or incomplete data;
   • d) transfer personal data which have been provided to the Controller and which are processed by automated means and the processing is based on consent or the necessity to perform a contract, e.g. to another controller;
   • e) withdraw a consent (where the basis for the processing of personal data is consent) at any time, whereby withdrawal of consent does not affect the processing carried out by the Controller in accordance with the law prior to its withdrawal
   • f) object to the processing of personal data based on the necessity for purposes resulting from the legitimate interests pursued by the Controller or by a third party, including in particular to the processing for marketing purposes;
   • f) lodge a complaint to the President of the Personal Data Protection Office.
7. COOKIES
   1. The Controller uses cookies (small text files, so-called cookies) or files with functionality similar to cookies, which are stored on your terminal device in connection with the use of the Website.
   2. Cookies are not harmful to you or your device. Restrictions on the use of cookies may affect certain functionalities available on the Website, enable or significantly impede the proper use of the Website.
   3. In many cases, your web browser will allow cookies to be stored on your device by default. At any time, you can delete cookies stored on your device or block their placement in the settings of your web browser. At the same time, please note that deleting or blocking the placement of certain cookies may restrict the use of certain functionalities available on the Website.
   4. As part of the use of the Website, you have the opportunity to select the scope of application of cookie technology, and then give the appropriate consent corresponding to the selected scope. Depending on the scope of application of the cookie technology you agree to, such cookies will be installed on your terminal device.
   5. Cookies collect various types of information which, in principle, do not constitute personal data (they do not allow you to be identified). However, some information, depending on its content and how it is used, may be associated with a specific person and thus be considered personal data. The provisions of this Policy regarding personal data apply accordingly to such information. To the extent that cookies contain your personal data, the basis for their processing is the legitimate interest of the Controller or a third party - Article 6(1)(f) GDPR.
   6. Detailed information on how to block / delete cookies is available in the "Help" section in the menu of your web browser. For example, in Internet Explorer, cookies can be modified from: Tools -> Internet Options -> Privacy; in Mozilla Firefox browser: Tools -> Options -> Privacy; and in the Google Chrome browser: Settings -> Show advanced settings -> Privacy -> Content settings -> Cookies. The access paths may differ depending on the browser version used.
   7. There are two main types of cookies used on the Service:
      • a) "session cookies" - which are temporary files that are stored in your terminal device until you leave the website or turn off the software (web browser); and
      • b) "persistent cookies" - which are stored on your terminal device for the time specified in the parameters of cookies or until you delete them.
   8. In addition to essential cookies (which the Controller uses to ensure the proper functioning of the Website and the safe use of the Website), the Controller may also use the following types of cookies within the Website:
      • a) analytical / functional cookies - cookies aimed at conducting analysis of the way the Website is used. Thanks to them the Controller may, among other things, determine the number of persons visiting the Website, as well as detect irregularities in its functioning and at the same time constantly improve it. These cookies also make it easier for you to use the Website (e.g. by storing information and settings provided by you);
      • b) marketing (advertising) cookies, which are used to present advertisements tailored to your interests, and may also be used to tailor the content and advertising presented to you by third parties with whom the Controller cooperates.
8. FINAL PROVISIONS
   1. This version of the Policy is effective as of March 30th, 2026.
   2. Due to the fact that the Website may present links to external websites that do not belong to the Controller and for which the Controller is not responsible, it is recommended to read the privacy policies of external websites belonging to other controllers.
   3. The Controller reserves the right to change the Policy - it can take place, among others, for the following important reasons:
      • a) changes in applicable regulations, in particular in the field of personal data protection, telecommunication law and electronically provided services affecting the rights and obligations of the Controller or the person visiting the Website;
      • b) development of functionalities or electronic services dictated by the progress of Internet technology, including the application / implementation of new technological or technical solutions, affecting the scope of the Policy;
   4. The Controller shall each time post information on changes to the Policy within the Website. Each time the Policy is changed, a new version of the Policy will appear with a new effective date.