Privacy Policy CRUPOL® Platforms

1. Introduction and General Provisions

1.1 Operator and Parties 1.1.1. This Privacy Policy (hereinafter referred to as the "Policy") regulates the procedure for the processing and protection of personal data provided by Users when using the CRUPOL Platform.

• "CRUPOL TECHNOLOGIES" Limited Liability Company(hereinafter referred to as "Operator", "CRUPOL" or "Platform"), registered in accordance with the legislation of the Republic of Moldova, is the operator of personal data.

IDNO: 1024600013166 Registration date: 28.02.2024 Corporate address: Chisinau municipality, sec. Center, 47 Alecsandri Vasile str., Republic of Moldova Organizational legal form: Limited Liability Company (SRL) Site: www.crupol.mdContact email: [email protected]

• Users are recognized as natural and/or legal persons who use the Platform as lessors ("Hosts") or lessees ("Guests", "Tenants"), as well as other registered persons (hereinafter referred to as "Users").

1.2. Purpose and scope of the Policy 1.2.1. This Policy defines the procedure for processing, storing, transferring and protecting Users' personal data. 1.2.2. The Policy applies to all actions of Users on the CRUPOL Platform, including the use of the website, mobile applications and related services. 1.2.3. The provisions of the Policy are mandatory for all Users, as well as for CRUPOL employees and partners who have access to personal data.

1.3. Applicable law 1.3.1. This policy has been developed in accordance with: - Regulation (EU)2016/679 (GDPR); - Law of the Republic of Moldova133/2011 "On the protection of personal data";- other applicable norms of national and international law.

2. Data collected

2.1 Identification data 2.1.1. The Platform processes personal data necessary for the identification of Users: name, surname, patronymic, date of birth, telephone number, e-mail address and other contact information.

2.2. Identity documents 2.2.1. In order to confirm the identity and the right to drive a vehicle, the Operator may process the passport data, driver's license data and other documents submitted by the User.

2.3. Vehicle details (for hosts) 2.3.1. When placing a vehicle on the Platform, the Host is obliged to provide reliable data about the vehicle, including: – vehicle identification number (VIN code); – technical passport (vehicle registration certificate); – a power of attorney or other document confirming the right to dispose of the vehicle (if applicable); – state registration number, make, model and year of manufacture. 2.3.2. The specified data is used to verify the uniqueness, authenticity and legality of the use of the vehicle on the Platform.

2.4. Financial data 2.4.1. To ensure payments and settlements between Users and the Operator, bank card or account details, as well as information about completed transactions, may be processed.

2.5. Service usage data 2.5.1. The Operator processes data about the actions of the Users on the Platform, including the history of reservations, vehicle rentals, posted reviews, complaints and other forms of interaction.

2.6. Photo and video materials 2.6.1. For the purpose of verifying and confirming rental facts, the following may be collected and processed: – photos of the User (selfie) upon completion of the KYC procedure; – photographs and/or video materials of the vehicle when drawing up the receipt certificate.

2.7. Technical data 2.7.1. The Platform automatically collects technical information, including IP address, device type and model, operating system, browser version and geolocation data (if access settings are enabled). 2.7.2. This data is used exclusively to ensure the security, analysis and improvement of the quality of the Platform.

2.8. Use of external services for verification 2.8.1. To verify the authenticity of identity documents, as well as vehicle documents, the Platform has the right to engage specialized third-party verification services (KYC/AML providers, anti-fraud systems). 2.8.2. The transfer of data to such providers is carried out in the volume necessary to carry out the verification procedure and in accordance with the requirements of the legislation on the protection of personal data. 2.8.3. The operator ensures the selection of reliable partners and concludes data protection agreements with them, but is not responsible for malfunctions in the operation of the specified services, technical errors, processing delays or other circumstances that cannot be directly controlled by CRUPOL.

3. Purposes of data processing

3.1. Registering and using an account 3.1.1. The User's personal data is processed to create, activate and maintain an account on the Platform, as well as to provide access to its functionality.

3.2. Execution of rental and agency contracts 3.2.1. The data are processed for the purpose of concluding and executing vehicle rental contracts between Hosts and Guests, as well as intermediate service agreements between Hosts and CRUPOL.

3.3. Vehicle Identity and Rights Verification (KYC/AML) 3.3.1. Personal data and documents are processed to confirm the identity of Users, verify driver's licenses, verify legal grounds for possession or disposal of a vehicle and to prevent fraud and other illegal actions.

3.4. Confirmation of authenticity and uniqueness of vehicles 3.4.1. Vehicle data, including VIN code, technical passport and power of attorney (if applicable), are processed to verify the uniqueness of the vehicle, eliminate duplication and confirm the legality of placing the vehicle on the Platform.

3.5. Making payments and interacting with insurance 3.5.1. Financial data is processed to carry out vehicle rental transactions, as well as to interact with insurance companies when issuing insurance coverage and settling insurance claims.

3.6. Communication and user support 3.6.1. Contact information is used to inform Users about the status of reservations, changes in the operation of the Platform, to provide technical and customer support, as well as to process requests, complaints and reviews.

3.7. Legal and fiscal obligations 3.7.1. Data processing is carried out to comply with the requirements of the legislation of the Republic of Moldova, the European Union and other applicable regulations, including fiscal, accounting and anti-fraud regulations.

3.8. Service analysis and development 3.8.1. Anonymized and aggregated data are processed to analyze the operation of the Platform, improve the quality of the services provided, develop new functions and increase the level of security.

4. Legal basis for processing

4.1. Execution of the contract 4.1.1. The processing of personal data is carried out to the extent necessary for the conclusion and execution of vehicle rental contracts between Hosts and Guests, as well as intermediate service agreements between Hosts and CRUPOL.

4.2. User Consent 4.2.1. In certain cases, the processing of personal data is carried out based on the explicit consent of the User (for example, when verifying the identity using photo and video materials or when receiving marketing notifications). 4.2.2. The user has the right to revoke this consent at any time, however, the revocation of consent does not affect the legality of the processing carried out prior to such revocation.

4.3. Legal obligation 4.3.1. Personal data are processed in cases where they are necessary to fulfill the obligations established by the legislation of the Republic of Moldova, the European Union or other applicable regulations (for example, fiscal, accounting, anti-fraud and other requirements).

4.4. The legitimate interests of CRUPOL 4.4.1. The processing of personal data can also be carried out based on the legitimate interests of CRUPOL, including ensuring the security of the Platform, preventing fraud, protecting the rights and legitimate interests of Users and the Operator, as well as improving the quality and functionality of the services offered. 4.4.2. When processing data based on the legitimate interests of CRUPOL, the rights and freedoms of Users are always taken into account, and such processing must not violate their legitimate interests.

5. The legal basis for processing

5.1 Access to data 5.1.1. The User has the right to request from the Operator confirmation of the fact of the processing of his personal data, as well as to receive a copy of this data and information about the purposes of the processing.

5.2. Correction 5.2.1. The user has the right to request corrections or additions to his personal data if they are inaccurate or incomplete.

5.3. Deletion ("right to be forgotten") 5.3.1. The user can request the deletion of his personal data if: – the data are no longer necessary for the purposes for which they were collected; – The user revoked the consent on the basis of which the processing was carried out; – the data were processed illegally. 5.3.2. The operator has the right to save the data in cases where their storage is required by law (for example fiscal or accounting).

5.4 Restriction of processing 5.4.1. The user has the right to request a temporary restriction of the processing of his data, for example, in the event of a dispute regarding their accuracy or during the verification of an objection to the processing.

5.5 Data portability 5.5.1. The user has the right to receive the personal data provided by him in a structured machine-readable format and to transfer it to another data controller if the processing is carried out on the basis of consent or an agreement.

5.6 Objection to processing 5.6.1. The User has the right to object to the processing of his data if it is carried out based on the legitimate interests of the Operator. 5.6.2. In the event of an objection, the processing will be terminated, unless the Operator proves the existence of overriding legal grounds.

5.7. Withdrawal of consent 5.7.1 If the processing is carried out on the basis of consent, the User has the right to revoke it at any time. 5.7.2. The withdrawal of consent will not affect the legality of the processing carried out before this withdrawal.

5.8. Complaint to the supervisory authority 5.8.1. The user has the right to file a complaint with the competent supervisory authority for the protection of personal data of the Republic of Moldova or the country of residence if he believes that his rights have been violated.

6. Legal basis for processing

6.1 Payment providers 6.1.1. In order to carry out transactions and ensure mutual settlements, Users' personal data may be transferred to payment systems, banks and other financial organizations. 6.1.2. The transfer is limited to the minimum necessary volume of data and is carried out exclusively for the purpose of fulfilling the obligations of the rental and agency contracts.

6.2. Insurance companies 6.2.1. Personal data may be transferred to insurance partners to arrange insurance coverage, settle insurance claims or fulfill other obligations related to the rental of a vehicle.

6.3. KYC and anti-fraud partners 6.3.1. To verify the authenticity of documents and prevent fraudulent activities, the Platform may transfer data to specialized identity verification services and anti-fraud systems. 6.3.2. Such services process data strictly within the framework of the concluded agreements and do not have the right to use them for their own purposes.

6.4. Hosting and IT providers 6.4.1. To ensure the operation of the Platform, data storage, technical support and infrastructure maintenance, Users' data may be processed by hosting providers, cloud services and IT service providers. 6.4.2. All such providers are obliged to comply with the confidentiality regime and ensure a level of data protection no lower than that established by the Operator.

6.5. Government bodies 6.5.1. Personal data may be transferred to government agencies, law enforcement authorities and judicial authorities in cases expressly provided by law. 6.5.2. The transfer is carried out only on the basis of a legal request and to the extent necessary for the fulfillment of legal obligations.

7. Data storage

7.1 Account Storage Period 7.1.1. The personal data associated with the User's account are stored for the entire period of use of the account. 7.1.2. After deleting an account, the data is subject to deletion or anonymization, except for those that are required to be retained by law.

7.2. Documents for verification 7.2.1. Copies of documents submitted to confirm identity and rights to the vehicle are kept until the verification procedure is completed. 7.2.2. In cases expressly provided by law (for example, KYC/AML requirements), such documents may be stored longer than the established period.

7.3 Transactions and Accounting Documentation 7.3.1. Data regarding payments, invoices and rental contracts will be stored for the period established by the tax and accounting legislation of the Republic of Moldova, but not less than five (5) years. 7.3.2. Upon expiry of the specified period, this data will be subject to deletion or archiving with restricted access.

7.4. Logs and technical data 7.4.1. Technical logs and other data regarding the use of the Platform are stored for a limited period, usually no more than one (1) year, unless longer storage is required for security or incident investigation.

7.5. Deletion and anonymization 7.5.1. Upon expiration of the storage period, personal data are subject to deletion or depersonalization (anonymization), which eliminates the possibility of identifying the User. 7.5.2. If immediate deletion is impossible (for example, if the data is in backups), the Operator ensures its isolation and deletion at the first technical opportunity.

8. Security

8.1 Encryption and SSL/TLS 8.1.1. The transfer of personal data between the User and the Platform is carried out using encryption protocols (SSL/TLS) to prevent unauthorized access.

8.2. Control acces 8.2.1. Access to personal data is granted only to employees and authorized partners of CRUPOL within the scope of their official duties. 8.2.2. All such persons are obliged to respect the confidentiality regime and are responsible for its violation.

8.3. Two-factor authentication 8.3.1. The Platform may use additional security measures, including two-factor authentication, to increase the level of security of user accounts.

8.4. Incident monitoring and response 8.4.1. CRUPOL performs continuous monitoring of the infrastructure and takes measures to identify, prevent and eliminate security incidents. 8.4.2. In the event of a leak or security threat, Users and supervisory authorities will be notified within the terms established by law.

8.5. User responsibility for password 8.5.1. The user is obliged to independently ensure the safety and confidentiality of his account data. 8.5.2. The Operator will not be responsible for damages resulting from the compromise of the password due to the fault of the User.

9. Cross-border date transfer

9.1. EU and Moldova 9.1.1. Users' personal data can be processed and stored both on the territory of the Republic of Moldova and in the European Union.

9.2. Countries with adequate protection 9.2.1. Data transfer outside the EU and Moldova is possible only to countries recognized by the European Commission as offering an adequate level of personal data protection.

9.3 Standard Contractual Clauses (SCC) and Other Measures 9.3.1. In cases of data transfer to countries that do not ensure an adequate level of protection, CRUPOL applies additional measures, including standard contractual clauses (SCC) and other legal mechanisms provided for by the GDPR.

10. Policy Updates

10.1. The procedure for making changes 10.1.1. CRUPOL reserves the right to modify this Policy to bring it into line with changes in legislation or internal processes.

10.2. Notices to users 10.2.1. When significant changes are made, Users are notified by publishing a new version on the site and/or by email.

10.3. Date of entry into force 10.3.1. The current version of the Policy is indicated with the effective date at the end of the document and applies from the moment of its publication.

11. Contact

11.1. For questions related to the processing of personal data, Users can contact the Operator:

– Email (Data Protection Officer / DPO): [email protected]

– Postal address: CRUPOL TECHNOLOGIES S.R.L., Chisinau municipality, 47 Alecsandri Vasile str., Republic of Moldova

11.2. The user also has the right to contact the supervisory authority:

– National Center for the Protection of Personal Data of the Republic of Moldova (CNPDCP)

– Address: MD-2004, city. Chisinau, Serghei Lazo str., 48

– Telephone: +373 (22) 820-801

– Email: [email protected]

– Site: www.datepersonale.md

© "CRUPOL TECHNOLOGIES" S.R.L. All rights reserved.

CRUPOL® is a trademark registered in the Republic of Moldova.

Official registration: AGEPI — CRUPOL