PRIVACY POLICY - xpress factoring

PRIVACY AND DATA PROTECTION POLICY OF

On Using the Website of Smart Factoring EOOD for

the “Express Factoring” Service

Purpose of the policy
Dear existing and potential customers,

Protecting your personal data is important to us. We have therefore taken the necessary legal,
organisational and technical measures to process your personal data in a lawful, appropriate and
transparent manner. This SMART FACTORING EOOD Personal Data Processing Policy explains what
personal data we shall process about you; for what purposes and on what grounds the information shall
be processed; what recipients we might provide it to and for what periods we shall keep it.

We encourage you to read this information carefully to learn more details about how your personal data
is being processed when as a representative and/or employee of a customer, a potential customer, a
person associated with a customer, a counterparty of a customer or a customer of our customer, a
debtor of a customer, our partners, and visitors to our website. No matter the purposes and on the
grounds your personal data is processed, SMART FACTORING EOOD will treat it with the same care.
This document also contains information about your rights and how you can exercise them.

SMART FACTORING EOOD may update this privacy notice, the latest version of which can be found
at: www.xpress-factoring.com

SMART FACTORING EOOD shall notify you of any material changes to this information on its website
or through another communication channel.

You can find more information about Bulgarian legislation on personal data protection on the website
of the Commission for Personal Data Protection at: www.cpdp.bg
Administrator details

SMART FACTORING EOOD is a company registered in the Commercial Register at the Registry
Agency with UIC 207214254. The registered office and the address of the registered office of “SMART
FACTORING” EOOD (the Company) is located at: Republic of Bulgaria, Sofia, 1000, “Triaditsa” district,
2 “Positano” sq.

The Company performs the following business activities:

Factoring activity consisting of the acquisition of receivables arising from the supply of goods and/or
services, collection of receivables, factoring operations to support intercompany commercial
relationships, which includes the collection, management and redemption of payments, the financing of
obligations with and without security, including the collection and closure of receivables granted by third
parties, the obtaining and/or granting of commercial credit and loans related to the financing of private
parties with the accompanying guarantees in agreements. To carry out the activities referred to in Article

2(2)(12) and Article 3(1), items 1 and 2 of the Credit Institutions Act, the company shall be entered in
the public register of the Bulgarian National Bank.

The goal of SMART FACTORING EOOD and Xpress Factoring is to support the financial stability,
growth and success of Bulgarian companies in various sectors of the economy by providing them with
opportunities to access working capital to meet their cash flow needs that will enable them to operate
more efficiently, expand their customer base and increase sales and profits.

SMART FACTORING EOOD is a financial institution registered in the Register of Financial Institutions
under Article 3a of the Credit Institutions Act.

For inquiries related to the processing of personal data, you can contact us at the following
address: data.privacy@smart-factoring.com

Definitions

а. ‘Personal data’ means any information relating to an identified natural person or an identifiable
natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or
indirectly, in particular by reference to an identifier such as a name, an identification number, location
data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental,
psychological, economic, cultural or social identity of that natural person.

b. ‘Processing of personal data’ means any operation or set of operations which is performed upon
personal data or a set of personal data, whether or not by automatic means, such as collection,
recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise making available, alignment or combination,
restriction, erasure or destruction;

c. ‘Data controller’ means a natural or legal person, public authority, agency or other body which alone
or jointly with others determines the purposes and means of the processing of personal data; where the
purposes and means of such processing are determined by Union or Member State law, the controller
or the specific criteria for its determination may be laid down in Union or Member State law;
d. ‘Data processor’ means a natural or legal person, public authority, agency or other body which
processes personal data on behalf of the controller;

e. ‘Third party’ means a natural or legal person, public authority, agency or other body other than the
data subject, the data controller, the data processor and the persons who, under the direct authority of
the controller or the processor, are entitled to process the personal data;

f. ‘Special categories‘ of sensitive personal data are (‘sensitive personal data‘) personal data
revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union
membership, as well as genetic data, biometric data, data concerning health or data concerning a
natural person’s sex life or sexual orientation;

g. ‘EU Regulation 2016/679‘ means Regulation (EU) 2016/679 of the European Parliament and of the
Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data
and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection
Regulation);

h. ‘Factoring‘ according to §1, item 11 of the Additional Provisions of the Corporate Income Tax Act,
“factoring” is a transaction for the transfer of lump-sum or periodic cash receivables arising from the
supply of goods or services, regardless of whether the person acquiring the receivables (the Factor)
assumes the risk of collecting those receivables against remuneration.
Principles of data processing

SMART FACTORING EOOD, as a data controller, in compliance with the principles of lawfulness,
fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and
confidentiality, and accountability, processes personal data of the following categories of data subjects:
individuals who are representatives and/or employees of, or are in any other legal or factual relationship
with:

– our client;

– a potential client;

– a person related to our client or potential client;

– a contractor of our client or a client of our client;

– a debtor of our client

– our partners.

When you visit our website we may process your personal data. For more information, please also see
our Cookie Policy (Information on the use of cookies on the SMART FACTORING EOOD website –
link).
Types of personal data processed

SMART FACTORING EOOD may process various types of personal data relating to your physical,
family or economic identity, grouped into the categories set out below. Personal data may be obtained
from you or collected from third parties. Depending on the specific products and/or services you use, or
the purposes for which you contact or relationship with the company, SMART FACTORING EOOD
processes some or all of the data listed.

5.1 Personal data cathegories

Personal information (names, ID number/date of birth, ID number of foreigner, nationality,
address(es), including country, number, date of issue, date of validity and issuer of ID,
telephone number, e-mail address, customer number, IBAN of customer accounts, details of
legal and proxy representatives, owners/ beneficial owners of the capital, details of persons
through whom a particular natural or legal person is contacted, etc.).
Economic information (property status and property rights, income, affiliation between
persons, financial situation, including credit history, etc.).
Family identity (marital status, family relationships, etc.).
Information collected when you use information and communication technologies
o IP addresses, online IDs, username, password, log data.
o Location (e.g. from your mobile phone, IP address).
o Device-specific information (e.g., hardware model, operating system version, unique
device IDs, and mobile network details including phone number).
o Cookies that can uniquely identify your browser.
Information on products and/or services used (what products/services you have used
and/or are using, your specific requirements for the products/services).
Information from background checks carried out on individuals’ social media profiles
and other sources other than the data subject themselves (background checks) where this is necessary and proportionate in order to collect, service and manage acquired claims or other legitimate interest of the Company following a balancing test.
Special categories of personal data – data relating to presence on ban and sanctions lists
and prominent political figures published by international and national organisations and
institutions, data relating to convictions and offences for the purposes of deciding whether to
enter into a relationship with you in relation to a particular service in light of the requirements of
anti-money laundering and counter-terrorist financing legislation.

5.2 In a number of cases we collect and process your data when you are not our customer.

For example:
where you or a person you represent is the payer of receivables acquired from us under a
factoring agreement;
where a request has been made to us by a third party for the provision of a factoring service or
other type of financing for which you or a person you represent will be the payer under a
factoring agreement;
where you are acting in your capacity as an agent (legal or by virtue of a power of attorney) of
our client or because you yourself are in the process of applying for our product or service;
where you are directly or indirectly involved in the ownership of an entity that is or wishes to
become our client, we are required to identify its beneficial owner in order to comply with our
obligations under the Anti-Money Laundering Measures Act;
where you or a person you represent is a member of the governing body of a legal entity which
is or wishes to become our client and the decisions of that body concern our relationship with
that legal entity;
where you are named as a contact person by our client or by a person with whom we have a
contractual relationship or by a debtor of our client;
where your data is provided to us in an enquiry or instruction concerning you or a person you
represent made by a public authority/institution or a person exercising public functions (e.g. a
private enforcement agent);

In all instances where we access and process your data, we undertake to comply with the principles
described in this document and the requirements of applicable data protection legislation.

5.3 Public data and data acquired through third parties

SMART FACTORING EOOD from time to time processes public information, such as:
Data on participation in companies and NPOs (non-profit organizations), publicly available at
the Registry Agency;
Information made public by the client on websites, social networks and blogs;
Lists published by the United Nations, the European Union, the Office of Foreign Assets Control
(OFAC) of the U.S. Treasury and the Financial Sanctions Enforcement Service of the U.K.
Treasury, as well as the Consolidated List of the Republic of Bulgaria of individuals, legal
entities, groups and organizations subject to measures under the Measures Against Terrorist
Financing Act, etc.

SMART FACTORING EOOD may also receive your personal data from third parties, such as:
from members of your family;
from a creditor of yours who is a customer or potential customer of the Company;
from persons related to you as defined in § 1, item 4 and item 5 of the Additional Provisions of
the Credit Institutions Act;
as well as from official public registers that are responsible for the storage of this information in
accordance with law or purchase them from companies that are responsible for the lawful
collection of personal data;
Databases containing information about prominent political figures and the presence of
negative media information.

Please note that SMART FACTORING EOOD is an obligor within the meaning of Article 4 of the Anti-
Money Laundering Measures Act (“AMLA”) and may collect and process copies of identity documents and other official documents in order to fulfil its obligations.

5.4 CCTV Footage / Security Camera Videos

SMART FACTORING EOOD may use security measures and CCTV cameras inside and outside its
office premises. The Company fully complies with the statutory requirements for the installation and use
of CCTV cameras. If CCTV cameras are installed in the Company’s office, you will be notified by a
sticker displayed in a prominent position. The recordings from CCTV cameras inside and outside the
Company’s offices (indicated by a sticker) are kept for 90 (ninety) days. They may be kept for longer in
cases where:

the recordings shall be used as evidence of a specific relationship, crime or irregularity;
the records shall be used as evidence of damages or to identify a criminal, public order offender,
witness or victim.

5.5 Direct Marketing

We collect your personal data when you sign up for our newsletter, which is distributed as part of our
email marketing program.

For direct marketing purposes, we use and process your data to inform you about our latest products
and services and to offer you:
better terms on those already used services/products;
products that you do not use but that we think would be of interest to you or your business;
special offers made by our professionals tailored to your business.

The information we hold about you consists of the data you have provided to us when using our products
and services, such as that which we collect when you use information and communication technologies
(for example: visit the Company’s website) to access our products, services and communication
channels.

If you do not wish to receive marketing communications, you have the right to object to the processing
of your personal data for direct marketing purposes at any time by sending an email to the following
email address data.privacy@smart-factoring.com or by standard mail to the Company’s physical
address listed above.

6. Purposes and legal grounds under which SMART FACTORING EOOD processes personal
data

The personal data collected by SMART FACTORING EOOD in its capacity as Data Controller is
processed for different purposes and on different legal grounds as follows:

6.1 Purposes for which the basis for processing your personal data is an obligation arising from
law (legal obligation):

On the legal basis of Art. 6, item “c” of EU Regulation 2016/679, the Company processes personal data
in order to comply with the legal obligations imposed on it as a controller by the Credit Institutions Act,
the Anti-Money Laundering Measures Act, the Anti-Terrorist Financing Act, the Tax and Social Security
Procedural Code, the Commercial Act, the Obligations and Contracts Act, the Civil Procedural Code,
the other applicable legal and regulatory framework governing the Company’s activities, as well as the
country’s financial, tax, legal and regulatory framework.

Например:

a. Establishing the identity of the person representing the client and verifying his/her
identification – the basis for processing data for this purpose is the AMLA and its Implementing Rules.

b. Implementation of controls to prevent money laundering, embargo and anti-terrorist
actions – The processing of your data is related to measures and actions taken by the Company to
prevent, detect, investigate and report suspicious transactions to the financial intelligence authorities
under the AMLA and its implementing regulations.

c. Provision of information required by the Bulgarian National Bank in connection with the
implementation of supervisory actions against the Company as a financial institution entered in
the Register of Financial Institutions under Article 3a of the Credit Institutions Act.

6.2 Purposes for which the processing of your personal data is based on the performance of a
contractual relationship:

SMART FACTORING EOOD processes your personal data in accordance with Art. 6, item “b” of
Regulation (EU) 2016/679 where the processing is necessary for the performance of a contract to which
the data subject is a party or to take steps at the request of the person to conclude a contract. Where
you take steps to enter into a contract with the Company and/or enter into a contract with the Company,
it is necessary for you to provide information constituting personal data in order for the Company to take
the steps to provide the product or service you wish to be provided with the contract. Failure to provide
your personal data will result in the controller being unable to provide the services you have requested
by taking steps prior to entering into a contract

а. Drafting up contracts at your request – in order to conclude a contract with you, as a debtor or
guarantor (natural person) under a factoring contract, the Company must have your specific personal
data (e.g. name, date of birth, ID number, ID card number), as well as your contact details. The
Company may also request additional information from you, conditional on the nature of the services
covered by the contract.

6.3 Purposes for which the processing of personal data is based on consent obtained from the
customer:

By way of exception, SMART FACTORING EOOD may process your personal data pursuant to Art. 6,
item “a” EU Regulation 2016/679, for example, when conducting seminars, awareness campaigns,
distribution of specialized and focused information materials, conducting product or market research,
marketing activities (direct marketing).

а. Sending marketing information (direct marketing) – to send you relevant notifications and/or our
email – newsletter/communications/updates relating to our business that may be of interest to you, by
post or, where you have expressly consented to this, by email or similar technology that you have
specifically requested, if you have requested it (you can inform us at any time if you no longer require
marketing information. Please refer to section 5.5 listed above).

6.4 Purposes for which the processing of personal data is based on the legitimate interests of
the data controller (legitimate interest):

а. Collection/recovery of acquired receivables under factoring contracts.

b. Assignment of acquired receivables under factoring contracts to third parties.

c. Litigation – Establishing, exercising and protecting the rights of SMART FACTORING EOOD –
The Company processes the data of its customers in order to protect its rights in court/litigation, in the
settlement of claims, including with the help of external lawyers/lawyers, etc. This is the case where
your personal data is processed in connection with the administration of information concerning
litigation, court orders, applications and judgments

d. Internal reporting, analysis and development of products and services offered – The
Company uses the personal data of its customers in order to improve its market position by offering
new or better services and innovative products while optimizing internal processes.

e. Risk assessment as a fraud prevention and detection measures – The Company processes
customers’ personal data to protect against fraud or criminal activity on their part. The Company has
the right not to partner with high-risk customers who put its reputation at risk. Based on certain facts
(e.g. fake ID, certain customer behaviour) the Company assesses the risk of potential fraud. Certain
indicators of the relevant customer profile, as well as any other information (e.g. a stolen ID card) that
is an indicator of potential fraud, may be used to make such an assessment. Fraud prevention and
detection measures are implemented in the context of implementing internal security rules, exercising
control, ensuring reliable protection of information stored on physical and electronic media. The
implementation of these objectives is necessary to protect the Company’s legitimate interests as a data
controller, which interests are related to its core business as a factoring company.

е. Security and access control, audio and video surveillance, audio and video recording for
security purposes, anti-fraud, records of conducted communication

With whom can we share your data?

7.1 Public authorities, institutions and establishments that supervise the Company’s activities
or compliance with legislation applicable to the Company. These may include, for example:

BNB (Bulgarian National Bank);
FSC (Financial Supervision Commission);
CPDP (Commission for Personal Data Protection);
CCP (Commission for Consumer Protection);
NRA (National Revenue Agency);
NSSI (National Social Security Institute);
NHIF (National Health Insurance Fund);
State Agency for National Security; General Directorate for Combating Organised Crime;
Ministry of Interior.
Judicial authorities, Prosecutor’s Office

7.2 Natural or legal persons in the performance of the legal or contractual obligations of the data
controller. Where the third parties with whom we share your personal data act as a data processor on
behalf of the Company or as a joint controller with the Company, we enter into the relevant required
contracts in order to protect your personal data and comply with applicable law.

For example:
Persons assisting the Company in connection with the servicing and collection of receivables;
Organisations providing information and communication technology, such as operating
systems and services;
External legal consultants, attorneys and law firms/partnerships that have contracts with the
Company;
External consultants and/or auditors who have contracts with the Company;
Organizations specializing in paper and/or digital information archiving and access;
Postal and courier service providers;
Organisations that provide internal audit or regulatory compliance verification and assurance
services with which the Company has contracted;
Banks, financial and payment institutions in connection with the collection of acquired
receivables under factoring contracts.

7.3 We may share data with other companies in the international group that have offices and people
around the world and primarily in the United States of America, Costa Rica, China, Vietnam, the
Republic of Cyprus, Bulgaria, Malta, Rwanda and Nigeria. The information we collect may be stored,
processed and transferred between each of the countries in which we operate to allow us to use and
process the information in accordance with this policy

7.4 Recipients outside the European Economic Area (EEA)

Personal data may be transferred outside the country in which it was collected and/or processed for the
legitimate interest of the Company related to its activities, in accordance with applicable law. In addition,
to the extent permitted by applicable law, the Company may store and/or process Personal Data in
facilities operated by third parties on behalf of the Company outside the country in which the Personal
Data was collected and/or processed. Countries outside the European Economic Area (“EEA”) do not
always have strict data protection laws. Where the Company transfers personal data from the EEA to
other countries where the applicable laws do not offer the same level of data privacy protection as is
specified in the EEA, the Company shall take measures to ensure an appropriate level of data privacy
protection. For example, the Company uses approved model contractual clauses, other measures
designed to ensure that recipients and/or processors protect personal data).

8. Retention periods for personal data

SMART FACTORING EOOD processes and stores your personal data for the periods set out in the
applicable legislation and in the SMART FACTORING EOOD Data Storage, Archiving and Destruction
Policy.

For example:

1. Personal data related to/contained in documents relevant for taxation and compulsory social security
contributions shall be stored by the obliged person for the following terms:

– accounting records and financial statements: 10 years;

– documents for tax and social security control: 5 years after the expiry of the limitation period for
repayment of the public debt to which they relate;

– all other information carriers: 5 years.

2. Personal data related to the performance of the Company’s obligations under the AMLA: for a period
of 5 years from the date of termination of the relationship or from the date of the incidental
transaction/operation. Upon written instruction of the Director of the Financial Intelligence Directorate of the State Agency for National Security, the term may be extended by no more than two years where proportionate and justified by the need to take appropriate action to prevent or counter money laundering or terrorist financing.

3. Personal data relating to the assertion of claims or the exercise of rights: 5 years from termination of
the contract or collection of the receivables.

Personal data of potential customers is used by the Company for a period of 2 years from the last
contact with the individual. Potential customers may always request that their data be deleted.

The time limits may be extended further, for example in the case of ongoing criminal investigations,
court and arbitration proceedings, suspension/interruption of limitation periods, and in the case of
compliance with orders of public authorities.

9. Rights of data subjects

As a data subject, you may exercise the following rights, subject to the conditions under EU Regulation
2016/679:

9.1 Right of access – Upon your request as a data subject, the Company is obliged to provide you
with information on the categories of personal data relating to you that are collected and processed by
the Company, as well as on the purposes for which they are processed, on the recipients or category
of recipients to whom your personal data is provided, on the sources from which the data was obtained,
except where it is collected directly from you.

9.2 Right to rectification and right to erasure (right to be forgotten) – At your request, the Company
shall rectify, erase or suspend the processing of your personal data if there is a case in which its
processing is unlawful or the legal basis for its processing has ceased. In such cases, the Company
shall notify any third party to whom your personal data has been disclosed of any corrections or erasures
it has made, as well as of the cases of suspension of processing of your personal data

9.3 Right of restriction to data processing – You have the right to request restriction of data
processing whereby:

– You contest the accuracy of the personal data; In this case, the restriction of processing applies for a
period that allows the controller to verify the accuracy of the personal data;

– the processing is unlawful, but you do not wish the personal data to be erased, but request instead a
restriction on its use;

– The Company no longer needs the personal data for the purposes of the processing, but you require
it for the establishment, exercise or defence of legal claims;

– You have objected to the processing on the grounds of the legitimate interest of the Company and an
investigation is underway to determine whether the legitimate grounds of the controller override the
interests of the data subject.

Where processing is restricted, such data shall be processed, with the exception of their storage, only
with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the
defence of the rights of another natural person, or for important reasons of public interest. Where a data
subject has requested the restriction of processing, the Company shall inform him or her before the
restriction of processing is lifted

9.4 Right of portability of personal data – As a data subject, you have the right to request to receive
the personal data relating to you that you have provided to the Company in a commonly used, structured
and machine-readable format and you have the right to transmit/transfer that data to another Data
Controller without the Company, as the Data Controller to whom you have provided your data, creating
obstacles for you where the basis for the processing of the personal data is consent or a contractual
obligation and the processing is

9.5 Right to object – As a data subject, you have the right to object to the processing of your personal
data where the processing of your data is based on a legitimate interest of the Company. The Company
shall consider the objection and provide you with its opinion. After considering the objection, the
Company shall, as a matter of principle, suspend the processing of your personal data, and notify all
interested parties to whom the personal data have been transferred of the objection received and of the
measures taken in this respect. In some cases, however, the Company has a compelling legal basis to
continue processing your personal data even after receiving your objection (e.g. in the case of lawsuits,
surveillance in case of suspected fraud, etc.). In these cases, the Company will contact you to clarify
the reasons why it will continue to process your personal data.

9.6 The right not to be a subject to a fully automated processes involving profiling

9.7 The right to withdraw your consent to the processing of your personal data.

9.8 Right to file a complaint with the Commission for Personal Data Protection (CPDP) – As a
data subject, you have the right to file a complaint with the Commission for Personal Data Protection
(CPDP) against the actions of the Company in relation to the processing of your personal data.

Exercise of rights.

Each data subject may exercise his/her rights by submitting a written request/notification to the
Company in free text or in a form form attached to this Policy (Annex No. 1 Request for Exercise of
Data Subject Rights). A request/notification may be submitted:

On site, at the registered office of the Company;
By post, sent to the Company’s registered office address;
By electronic means at: data.privacy@smart-factoring.com;

A response to your request/notification will be made without undue delay, within one month of receipt
of the request/notification, unless an extension of time is required, for which the Company will notify
you in a timely manner. The response will be sent/delivered to the address or by the method specified
by you.

In the cases where you exercise your rights as a data subject, it is necessary to prepare a detailed
description of your request in the request/notification submitted to the Company. When exercising your
rights, the Company needs to verify your identity so that it does not appear that someone else is trying
to impersonate you. For this purpose, the Company may ask you for an ID card or other identification
when providing you with the information you have requested.

You may ask in writing various questions related to the processing of your personal data by the
Company, both at the Company’s office and electronically at: data.privacy@smart-factoring.com.

In case you disagree with the Company’s opinion on the submitted request/notification or wish to obtain
more information, please visit the website of the Personal Data Protection Commission: www.cpdp.bg,
where you could file a complaint.

The exercise of your rights may not contradict the provision of your personal data to the competent
authorities for the prevention, investigation and detection of criminal offences.

Policy approval and amendment.

The POLICY FOR CONFIDENTIALITY AND PROTECTION OF PERSONAL DATA OF SMART
FACTORING LTD is approved by the Managers of the Company. Amendments and additions to this
policy shall be made by resolution of the Company’s Managers.

This Policy, as well as notices of amendments and supplements thereto, shall be disclosed on the
Company’s website www.smart-factoring.com and www.xpress-factoring.com .