CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 3 of 37 Contents 1. Introduction ................................................................................................................................................................................. 5 2. Data Controller .......................................................................................................................................................................... 6 3. Definitions ................................................................................................................................................................................... 7 4. General information in connection with data processing ......................................................................................... 9 5. Data processing performed by the company ............................................................................................................. 10 6. Term of data processing ..................................................................................................................................................... 14 7. Data processing ..................................................................................................................................................................... 15 I./ Sum & Substance (KYC/AML partner) ....................................................................................................................... 15 II./ Amazon Web Services (AWS) .................................................................................................................................... 16 III./ SendGrid ............................................................................................................................................................................ 16 IV./ Freshdesk .......................................................................................................................................................................... 16 V./ Auth0 ................................................................................................................................................................................... 16 VI./ Mongo Labs (ObjectLabs Corporation) ................................................................................................................. 17 8. Forwarding data to third country .................................................................................................................................... 18 I./ Amazon Web Services (AWS) Inc. ............................................................................................................................. 18 II./ SendGrid.............................................................................................................................................................................. 18 III./ Freshdesk ........................................................................................................................................................................... 18 IV./ Mongo Labs (ObjectLabs Corporation) ................................................................................................................. 19 9. Data security ........................................................................................................................................................................... 20 10. Rights of data subjects related to the processing of their personal data ................................................. 21 11. Changes of the privacy policy.................................................................................................................................... 25 12. Cookie policy .................................................................................................................................................................... 26 1. Meaning of cookie............................................................................................................................................................. 26 2. Acceptance by visiting the Website .......................................................................................................................... 26 3. Cookies used on our website ....................................................................................................................................... 26

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 4 of 37 4. Newsletters, e-mails ........................................................................................................................................................ 34 5. Individual cookies used on our website.................................................................................................................... 34 6. Switching off and deleting cookies ............................................................................................................................ 35 13. Contact ............................................................................................................................................................................... 37

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 5 of 37 1. Introduction The present privacy policy contains important information about the processing of your personal data. By providing your personal data you accept the terms and conditions set forth in the present privacy policy. Please read this privacy policy regularly since the changes thereof shall be automatically applicable for processing the personal data provided by you even if a previous version of the privacy policy was in force when you provided your personal data. We shall publish the modification of the privacy policy on our websites and we shall also inform you in other forms, depending on what source we have your data available from. Please pay special attention to the provisions of the present privacy policy highlighted by italics because those may contain important provisions about the processing of your personal data. In case data processing takes place on our website then by using the Website you accept the terms and conditions set forth in the present privacy policy irrespectively of whether you register on the Website or not. If you do not accept the provisions set forth in the privacy policy, do not use the Website. The present privacy policy shall be applicable exclusively for the personal data of natural person data subjects considering that the data of legal entities or other organizations not qualified as legal entities shall not be qualified as personal data. By signing the Agreement with BlockBen SIA where the downloading location of the present privacy policy is indicated or by accepting the pop-up window related to the acceptance of the privacy policy on www.BlockBen.com website you shall agree that you have become aware of and accepted the provisions set forth in the present privacy policy.

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 6 of 37 2. Data Controller Name: BlockBen SIA Registered seat: Krišjāņa Valdemāra iela 21, Centra rajons, Rīga, LV-1010, Latvia Name of representative: Judit Makszim Contact of representative: 1061 Budapest, Andrássy út 33. 4. emelet 3. Mail address: 1061 Budapest, Andrássy út 33. 4. emelet 3. Email address: support.@BlockBen.com Website: www.BlockBen.com

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 7 of 37 3. Definitions Private person: Any specific natural person identified or directly or indirectly identifiable on the basis of personal data. Personal data: Any data which can be related to the data subject or any data or information (name, identification number) on the basis of which a natural person can be identified either directly or indirectly. During the use of the Website and other software, in addition to the natural personal identification data, photos, gender, age, or any knowledge characterizing one or more physical, physiological, mental, economic, cultural or social identities shall be such in particular. Data subject: any natural persons whose personal data is subject of any data processing. BlockBen SIA shall provide the Services available on the Website exclusively to natural persons over the age of 18 therefore it developed its data processing policy in accordance with this circumstance. Considering that the consent of the legal guardian of children below the age of 16 shall be required for their declaration, BlockBen Financial Services shall obtain the consent of the legal guardian in each case when it conducts data processing addressed to such data subjects. Data controller: the person determining the objectives and means of processing personal data. In case of personal data processing performed via the Website the data controller BlockBen SIA but in certain processes where this is expressly indicated, additional data controllers other than BlockBen SIA also conduct data processing activity. BlockBen SIA shall be qualified as data controller regarding any information and shall process all data provided by the Clients to BlockBen SIA, uploaded to the Website while visiting or using the Website or using any Service available on the Website or which is collected by BlockBen SIA during the activities of the Users on the Website. Data processor: the natural or legal person or any other body processing personal data on behalf of the data controller or performs data processing operations in terms of personal data. BlockBen SIA uses several data processors for its data processing the person of which shall be indicated in relation with the individual data processing or reference shall be made to the categories of data processors. Data processing: Automated or non-automated operation or set of operations performed on personal data for example collecting, storing, recording, disclosing, forwarding or using personal data. Any process in which personal data is made available for BlockBen SIA shall be qualified as data processing.

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 8 of 37 Title of data processing: BlockBen SIA shall process personal data typically for the purpose of concluding or performing agreement and legal obligations of BlockBen SIA and on the basis of the consent of the data subject where it is expressly indicated upon recording the personal data. BlockBen SIA shall provide information on the title of data processing in relation with the individual data processing operations. Consent: permission given by the data subject to the data controller to process their personal data for a specific purpose. Voluntary and definite expression of the will of the data subject based on proper information and by which the data subject gives unmistakable consent to processing their personal data comprehensively or for certain operations. Data processing purpose: the specifically determined purpose of processing personal data for example concluding or performing an agreement between BlockBen SIA and the Client. Scope of processed data: BlockBen SIA shall provide the personal data processed upon the individual data processing. Term of data processing: the period of time until BlockBen SIA is entitled to process personal data which shall be provided by BlockBen SIA upon the individual data processing. Data not suitable for personal identification: data which is recorded by BlockBen SIA about the users of the Website, but which is not suitable for directly or indirectly identifying a natural person.

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 9 of 37 4. General information in connection with data processing 4.1. The primary title of data processing by BlockBen SIA shall be the performance of an agreement concluded with the data subject on the basis of section b), paragraph (1), Article 6. of the GDPR. 4.2. The Data subject shall be responsible for the truthfulness and accuracy of the personal data provided. BlockBen SIA shall not be liable for the processing of incorrect or untrue data provided by the Data subject or for the damages suffered by the Data subject or any third person due to incorrect or untrue data provision. BlockBen SIA shall not be responsible if BlockBen SIA is deceived regarding the capacity of the Data subject. 4.3. In case of using the Website the title of data processing shall be consent (section a), paragraph (1), Article 6 of the GDPR). In case of data processing based on consent, the Data subject shall be entitled to withdraw such consent any time which however shall not affect the lawfulness of the data processing prior to such withdrawal. Data regarding the verification of the fact of consent shall be preserved by BlockBen SIA until the possibility of verifying such consent or any other legitimate interest of BlockBen SIA makes it necessary. Consent is given by using the website via implicit acceptance. 4.4. Unless otherwise regulated by law, the personal data made available for BlockBen SIA shall only be processed by BlockBen SIA only for the purposes described in the present policy to the extent required to implement such purposes. 4.5. BlockBen SIA performs profiling. Profiling: automated processing of personal data when personal data is used for the assessment of certain personal characteristics (e.g. workplace performance, economic/financial situation, health condition, personal preferences, interests, reliability, behaviour) related to a specific natural person, the analysis or prediction of place of staying or moving. BlockBen SIA performs profiling. BlockBen SIA groups the names and e-mail addresses of registered persons in order to provide relevant content and information and to send marketing newsletters to its users periodically. Such profiling does not consist of automated decision-making.

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 10 of 37 5. Data processing performed by the company 5.1./ Service provided on the basis of agreement concluded with the company Scope of data processed Purpose of data processing Title of data processing Data processor Term of data processing photo for personal identification purposes Section b), paragraph (1), article 6 of the GDPR Sum & Substance for 5 years following the performance of agreement Phone number Registration and verified login into Wallet (Two- factor authentication) Section c), paragraph (1), article 6 of the GDPR - statutory obligation Sum & Substance for 5 years following the performance of agreement Data regarding employment and citizenship client identification Section b), paragraph (1), article 6 of the GDPR - performance of agreement Sum & Substance for 5 years following the performance of agreement Let us call the attention of data subjects that the company shall store the data after the termination of the agreement under section f), paragraph (1), Article 6. of the GDPR for the purpose of enforcement of its legitimate interests. Let us inform you that you shall be entitled to object to such data processing based on legitimate interest any time at the representative of the company, in which case the company shall delete your personal data.

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 11 of 37 5.2./ Operation and Use of the Website and Registration Scope of data processed Purpose of data processing Title of data processing Data processor Term of data processing Client name*, email address*, password* Operation of services available by the Website (from the website), creating web office registration and user identification Section a), paragraph (1), article 6 of the GDPR - consent Amazon Web Services (AWS) Until the cancellation of registration or withdrawal of consent. IBAN number (bank account number) Providing services related to the Wallet Section a), paragraph (1), article 6 of the GDPR - consent Amazon Web Services (AWS) Mongo Labs Until the cancellation of registration or withdrawal of consent. Client’s phone number securing wallet- based services Section a), paragraph (1), article 6 of the GDPR - consent AWS Mongo Labs Until the cancellation of registration or withdrawal of consent. Data marked with * shall be provided for registration. If you do not provide the data, you cannot register. Regarding data collected while browsing the Website, please see our cookie policy (section 12). 5.3./ Information regarding the services of BlockBen Financial Services Scope of data processed Purpose of data processing Title of data processing Data processor Term of data processing Name, email address, phone number, Contact related to the service provided by Section b), paragraph (1), article 6 of the BlockBen SIA for 5 years following the performance

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 12 of 37 country of residence BlockBen Financial Services and the performance of the agreement GDPR - performance of agreement of agreement 5.4./ Other communication and complaints Scope of data processed Purpose of data processing Title of data processing Data processor Term of data processing Name, email address, phone number, home address (depending on what data is provided by the Data subject or through what channel communication takes place) In case of contact made by the Data subject the purpose of data processing subject to the purpose of contact (e.g. reply to incoming emails, actual management of complaint and information about the measures taken, etc.) Section f), paragraph (1), article 6 of the GDPR - legitimate interest Description of legitimate interest: later proof of content of communication with clients, complaint management, quality assurance. Freshdesk Servers.com Depending on the nature of communication or complaint but in each case at least for 5 years following the management of the complaint 5.5./ Data processing for marketing purposes Scope of data processed Purpose of data processing Title of data processing Data processor Term of data processing

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 13 of 37 Name, home address, phone number, email address Sending newsletters related to the services of BlockBen Financial Services, direct marketing Section a), paragraph (1), article 6 of the GDPR - consent SendGrid Until the withdrawal of consent 5.6./ Enforcement of claims, disputes, official proceedings Scope of data processed Purpose of data processing Title of data processing Data processor Term of data processing Name, home address, phone number, other information related to claim Enforcement and collection of claims of BlockBen Financial Services, proving the opinion of BlockBen Financial Services in case of enforcement of claims against BlockBen Financial Services, fulfilling official queries and notifications Section f), paragraph (1), article 6 of the GDPR - legitimate interest Designation of legitimate interest: collection of claims, enforcement of claims, protection of rights Section c), paragraph (1), article 6 of the GDPR - statutory obligation in specific case Freshdesk Server.com 8 years following the enforcement of claim or the final closure of proceedings

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 14 of 37 6. Term of data processing 6.1. Personal data shall be deleted 10 years after the cancellation of service, in compliance with Latvian financial regulations and AML requirements, considering that it may be necessary to contact the client within the limitation period. 6.2. The term of data processing for the purpose of client identification and due diligence under the Law on the Prevention of Money Laundering and Terrorism and Proliferation Financing (AML/CFT Law) of Latvia, as well as for the purpose of performing data supply under the same law, shall be at least 5 years following the termination of the business relationship or the completion of a transaction. In case of regulatory requirements, the period may be extended by an additional 5 years. 6.3. Under the Law on Accounting of Latvia, financial transaction receipts and related records must be retained for 8 years following the end of the respective financial year in which the transaction occurred. 6.4. Where necessary for the protection of legal claims, dispute resolution, regulatory investigations, or fraud prevention, data may be stored beyond the specified periods, strictly in accordance with applicable laws and only for as long as necessary.

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 15 of 37 7. Data processing 7.1. Data processor shall be the natural or legal person or any other body processing personal data on behalf of the data controller. Data processing shall not mean authorization to make decisions related to the data: the data processor shall execute the data processing decisions of the data controller. 7.2. Data shall be forwarded exclusively for the purpose of performing services and fulfilling statutory obligations to accountants, shipping companies, card issuers, financial institutions and contractual partners. 7.3. The data processor shall not make definitive decisions regarding the data processing and it shall process personal data obtained exclusively on the basis of the instructions of BlockBen SIA; it shall not perform data processing for its own purposes furthermore it shall store and preserve personal data according to the instructions of BlockBen SIA. 7.4. Name of data processors: I./ Sum & Substance (KYC/AML partner) Address: Agiou Andreou 153, 3036, Limassol, Cyprus E-mail: info@sumsub.com Web: https://sumsub.com/ Data Protection Registration Number: ZA222205. Personal data managed by data processor: name; place and date of birth; ID-card number, photo. Task of data processor: The ID-card data of the client concluding agreement with BlockBen SIA shall be compared by the system with a selfie taken by the user. Client inspection from different financial and criminal law aspects.

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 16 of 37 II./ Amazon Web Services (AWS) Address: 1200 12th Ave S, Ste 1200, Seattle, WA 98144, United States Web: https://aws.amazon.com, GTC: https://aws.amazon.com/privacy/?nc1=f_pr Task of data processor: operation of website and hosting. III./ SendGrid Web: https://sendgrid.com/ GTC: https://sendgrid.com/policies/privacy/ Task of data processor: storing names and e-mail addresses for later use and target group segmentation for the purpose of profiling. IV./ Freshdesk Address: 1250 Bayhill Drive, Suite 315, San Bruno, CA 94066 Phone: +1 650 513 0514 Web: https://freshdesk.com/ GTC: https://freshdesk.com/gdpr, https://www.freshworks.com/privacy/gdpr/?_ga=2.37913379.1047924319.1533027009- 1494754266.1533027009 Task of data processor: Grouping requests, questions and complaints received by the customer service, replying those, use of personal data for such purpose within the company (name, e-mail address, other data required for the solution of the problem). V./ Auth0 Address: 10900 NE 8th Street Suite 700, Bellevue, WA 98004 Phone: +44 (0) 33-3234-1966, +1 (425) 312-6521, +1 (888) 235-2699 Web: https://auth0.com/

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 17 of 37 Task of data processor: identification, authentication and defence of the security of the customers’ usernames and passwords. VI./ Mongo Labs (ObjectLabs Corporation) Address: 660 York St. Suite 101, San Francisco, CA 94110 Phone: (415) 758-2748 E-mail: support@mlab.com Task of data processor: providing database required for the BlockBen wallet interface.

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 18 of 37 8. Forwarding data to third country 8.1. BlockBen Financial Services shall not forward personal data to any third country. 8.2. In the event that such data forwarding becomes necessary then BlockBen Financial Services shall request the personal consent of the client involved to the data forwarding, informing the client about the purpose and circumstances of such data forwarding as well as the provisions set forth in Article 13 and section a), paragraph (1), Article 49. of the GDPR. The list of third country data processors to whom Block Netwörk OÜ provides data: I./ Amazon Web Services (AWS) Inc. Address: 1200 12th Ave S, Ste 1200, Seattle, WA 98144, United States Web: https://aws.amazon.com, GTC: https://aws.amazon.com/privacy/?nc1=f_pr Task of data processor: operation of website and hosting II./ SendGrid Web: https://sendgrid.com/ GTC: https://sendgrid.com/policies/privacy/ Task of data processor: storing names and e-mail addresses for later use and target group segmentation for the purpose of profiling.. III./ Freshdesk Address: 1250 Bayhill Drive, Suite 315, San Bruno, CA 94066 Phone: +1 650 513 0514 Web: https://freshdesk.com/

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 19 of 37 GTC: https://freshdesk.com/gdpr, https://www.freshworks.com/privacy/gdpr/?_ga=2.37913379.1047924319.1533027009- 1494754266.1533027009 Task of data processor: Grouping requests, questions and complaints received by the customer service, replying those, use of personal data for such purpose within the company (name, e-mail address, other data required for the solution of the problem). IV./ Mongo Labs (ObjectLabs Corporation) Address: 660 York St. Suite 101, San Francisco, CA 94110 Phone: (415) 758-2748 E-mail: support@mlab.com Task of data processor: providing database required for the BlockBen wallet interface.

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 20 of 37 9. Data security 9.1. In the scope of data security measures the company shall take in particular those technical and organizational measures and establish those procedural rules which ensure that the data processed shall be protected from unauthorized access, modification, forwarding, disclosure, deletion, destruction, accidental termination or damage, furthermore against becoming inaccessible due to the change of the technology applied. 9.2. The company shall take the development of technology into consideration at all times when determining and applying the measures serving data security. In case of several possible data processing solutions, the company shall choose the one providing higher level of protection for personal data except if such solution would constitute unreasonable difficulty for the company. The company shall enforce such requirements towards the data processors as well. 9.3. The company shall take obligation to call any third party to which it may forward or hand over data to observe the above commitments. In case of legitimate data forwarding by the company, the company shall not be responsible for damages caused by the recipient.

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 21 of 37 10. Rights of data subjects related to the processing of their personal data 10.1. Data subjects may at any time request information at the contacts indicated in the present policy about the data processing related to them, may request the correction, cancellation or restriction of use of their data and may object to the processing of such personal data. 10.2. BlockBen SIA shall inform the Data subject without unreasonable delay but within one month of the reception of the request by all means about the measures taken as a result of the request below. If necessary, taking the complexity and the number of requests into consideration, such term may be extended by two additional months. BlockBen SIA shall provide information about the extension of the term, also indicating the causes for the delay within one months of the reception of the request. If the request was received electronically, the information shall also take place electronically if possible, except if the Data subject otherwise requests. If BlockBen SIA judges so that we do not need to take measures upon the request of the Data subject then we shall inform the Data subject without delay but within one month from the reception of the request the latest about the reasons for the omission of measures and that the Data subject may make a complaint at the data protection authority and may exercise its right to remedy in front of the court of justice. 10.3. Requests shall be fulfilled free of charge, if however the request is clearly unfounded or excessive especially due to its repeated nature, the company my take the administrative costs arising from the request into consideration and charge a reasonable fee or refuse to fulfil the request. 10.4. If there is founded doubt in relation with the person of the Data subject submitting the request, further information may be required to confirm identity. 10.5. Upon request of the Data subjects, BlockBen SIA shall provide information whether their personal data is being processed and if it is, the Data subjects shall be entitled to access their data processed by BlockBen SIA as well as the information on the purpose of data processing, the categories of the data involved, the recipients or recipient categories to whom the personal data was or will be disclosed, the planned term of data processing or the factors of determining such term as well as the source of data (right of access).

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 22 of 37 10.6. Upon request, BlockBen SIA shall provide the Data subjects with the copy of the personal data processed. For additional copies requested by the Data subjects a reasonable fee may be charged on the basis of administrative costs. If the Data subject submitted the request electronically, the information shall be provided in a widely used electronic format except if the Data subject requests otherwise. 10.7. The Data subject may request the correction of inaccurate data and shall be entitled to request the completion of incomplete data. 10.8. The Data subject may request BlockBen SIA to delete the personal data if: • such data is not needed any longer for the purpose of the data were processed; • the Data subject withdraws consent and there is no other title for data processing; • the Data subject lawfully and successfully objected to the processing of personal data and such data processing is; • data processing is unlawful; • data shall be deleted in order to fulfil a legal obligation of BlockBen SIA; • the Data subject is a minor, below the age of 16. 10.9. Upon the above request, BlockBen SIA shall delete the data except if further data processing is required for: • exercising the right to freedom of opinion and expression as well as information; • fulfilling the legal obligation of BlockBen SIA requiring such data processing; • the purpose of presenting, enforcing or protecting legal claims. 10.10. Upon request from the Data subject BlockBen SIA shall restrict data processing if: • the Data subject disputes the accuracy of personal data in which case the restriction shall apply for the period of time allowing for supervision of the accuracy of data; • although the data processing is unlawful, the Data subject objects to deletion and requests restriction instead; • BlockBen SIA does not need the data processing any longer but the Data subject requests it for presenting, enforcing or protecting legal claims;

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 23 of 37 • the Data subject objected to the data processing; in which case the restriction shall apply for the period of time until it is concluded whether the legitimate reasons of the data processor have priority against the legitimate reasons of the Data subject. 10.11. If the data processing is restricted according to the foregoing, such personal data shall only be processed (except for storage) with the consent of the Data subject or for the presentation, enforcement or protection of legal claims or in order to protect the rights of other persons or for the important public interest of the Union or a member state. BlockBen SIA shall inform the Data subject requesting the restriction about the resolution of the restriction in advance. 10.12. BlockBen SIA shall notify the Data subject and anyone else to whom it had previously forwarded the data about correction, deletion or restriction. BlockBen SIA shall omit such notification if it is impossible or requires great effort. If BlockBen SIA disclosed the personal data and is obliged to delete it, it shall take the reasonable expected measures taking the available technology and the costs of implementation into consideration, including technical measures as well in order to inform the data processors processing the data that the Data subject requested them to delete the links referring to the given personal data or the copies and counterparts of such personal data. 10.13. The Data subject may object to the processing of their personal data a) if it takes place on the basis of legitimate interest; in which case the data processing shall not be continued except if it is reasoned by forcing legitimate causes related to the presentation, enforcement or protection of lawful claims enjoying priority over the interests, rights and freedoms of the Data subject; b) if it takes place for or in connection with direct marketing; in which case the data processing shall not be continued in the future for this reason. Sections 10.2-10.4. shall be governing in case of objection as well. 10.14. On the basis of data portability, the Data subject on the one hand may request BlockBen SIA if it is technically viable to receive its widely used data processed in a machine-readable format and to personally forward it to any data processor. 10.15. If the processing of personal data is carried out on the basis of consent, it may be withdrawn. BlockBen SIA will cease processing for the purpose for which consent was given, except where the personal data is retained for the protection of BlockBen SIA legitimate interests. Withdrawal of consent may not affect the processing of personal data which is necessary to comply with the requirements of laws and regulations

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 24 of 37 or which is based on a contract, BlockBen SIA legitimate interests or other grounds for lawful processing of personal data set out in laws and regulations. 10.16. If BlockBen SIA does not fulfil the above request of the Data subject it shall inform the Data subject about the reason thereof within one month of the reception of the request. 10.17. In the event that according to the view of the Data subject, its rights related to its personal data were injured, please make a complaint to BlockBen SIA at the contacts provided. 10.18. If you believe your personal data rights have been violated, you have the right to lodge a complaint with the competent supervisory authority, which in this case is the Data State Inspectorate of Latvia (Datu valsts inspekcija - DVI): Name: Data State Inspectorate of Latvia (Datu valsts inspekcija) Mail Address: Elijas iela 17, Rīga, LV-1050,Latvia E-mail: info@dvi.gov.lv Web: https://www.dvi.gov.lv/en Phone: +371 67 22 31 31 10.19. In addition to the above, in case of unlawful processing of your data, you have the right to file a complaint with the competent court of justice and initiate a civil lawsuit. The lawsuit shall be adjudicated by the courts of Latvia. You may choose to file the lawsuit with the court in your place of residence or where BlockBen SIA is registered. You can find a list of Latvian courts and their contact details at the following link: https://www.tiesas.lv (Latvian Court Portal).

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 25 of 37 11. Changes of the privacy policy 11.1. The changes of the privacy policy shall be published on the Website. The privacy policy in force at all times shall always be applicable for processing the personal data even if a previous version of the privacy policy was in force when the Data subject registered or provided their personal data otherwise.

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 26 of 37 12. Cookie policy 1. Meaning of cookie “Cookies” are files sent by the web server with variable content consisting of letters and numbers saved and stored on the computer of the user for a pre-defined period of time. Cookies allow our web server to recognize your browser and your browsing history of the Website. With the help of cookies we can get an image about the habits and history of the user visiting our website and using the internet. Cookies do not contain any data through which the visitors to the website can be identified, those are exclusively suitable to recognize the computer of the user. If you need further information about these cookies and their operation, you can find detailed information at www.allaboutcookies.org or www.aboutcookies.org. 2. Acceptance by visiting the Website When you visit our Website, the Website collects data with the help of the aforementioned cookies. When you visit our Website, with a click, you may accept the use of cookies incapable of identifying persons by the website in accordance with our privacy policy. You can maintain and/or delete cookies as you wish. If you need more detailed information about this, please visit www.aboutcookies.org. You can delete all the cookies stored on your computer and you can ban their installation in most browsers. In such case you might have to do certain settings manually each time you visit a given website and you may also experience that certain services and functions might not work. 3. Cookies used on our website 3.1. Functional cookies These cookies are needed for the us to collect information about the website using habits of the user (e.g. language, quick test filling, subscribing for newsletters). These cookies are used to provide a better user experience. This type of cookie stays in the cookie file of your browser for a longer period of time. This period of time depends on your browser settings. These cookies forward information to the web server in each case when you visit the Website.

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 27 of 37 Cookie name Cookie ID, type Cookie Provider Data handled by Cookie Cookie purpose Duration _ga HTTP Google Tag Manager randomly generated unique ID The cookie is used to calculate visitor, session, camapign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randoly generated number to identify unique visitors. 2 years _gid HTTP Google Tag Manager number visitors, the source where they have come from, and the pages viisted in The cookie is used to store information of how visitors use a website and helps in creating an 1 day

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 28 of 37 an anonymous form. analytics report of how the wbsite is doing. _gat HTTP Google Analytics - Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites. 1 day _hjid HTTP Hotjar It is used to persist the random user ID, unique to that site on the browser. Sets a unique ID for the session. This allows the website to obtain data on visitor behaviour for statistical purposes. 1 year _hjid HTML Hotjar It is used to persist the random user ID, unique to that site on the browser. Sets a unique ID for the session. This allows the website to obtain data on visitor behaviour for Persistent

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 29 of 37 statistical purposes. smartlookCookie HTTP Smartlook number visitors, the source where they have come from, and the pages viisted in an anonymous form. Registers data on visitors' web site- behaviour. This is used for internal analysis and website optimization. Session collect Pixel Google visitor’s device and behaviour. Used to send data to Google Analytics about the visitor’s device and behaviour. Tracks the visitor accross devices and marketing channels

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 30 of 37 3.2. Third-party cookies Third-party cookies are downloaded by the User's browser when viewing the Website, but not from the (sub) domain of the Company, but from a third party (typically an advertiser or facebook) domain, since the Website partly consists of such Third-party modules. Third-party cookies are returned to a third party when, for example, a User views an ad or visits their website. These cookies are used by a third party (such as an advertiser) to track the user's complete browsing history for websites that contain so-called "third party" modules (e.g., advertising module, ads). Most browsers have privacy settings that allow you to block / disable Third-party cookies. The Company has no control over Third-Party Cookies, so Users are requested to review these Third- Party Cookies Information. (Google Analytics, Gemius, facebook, doubleclick) Cookie name Cookie ID, type Cookie Provider Data handled by Cookie Cookie purpose Duration t_gid HTTP taboola.com user ID The cookie assigns a unique user ID to users and use this ID for serving relevant advertisement and content. 1 year _fbp HTTP Google Tag Manager user ID Used by facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website 3 months

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 31 of 37 fr HTTP Facebook The cookie tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin. to show relevant advertisments to the users and measure and improve the advertisements. 3 months _hjIncludedInSam ple HTTP Hotjar user ID Determines if the user's navigation should be registered in a certain statistical placeholder. Session eng_mt HTML taboola.com advertisement impression, user interaction Tracks the conversion rate between the user and the advertisement banners on the website - This serves to optimise the relevance of the advertisements on the website. Persistent taboola global:user-id HTML taboola.com Unique visitor ID Sets a unique ID for the visitor, that allows third party advertisers to target the visitor Persistent

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 32 of 37 with relevant advertisement. This pairing service is provided by third party advertisement hubs, which facilitates real-time bidding for advertisers. taboola_session_i d HTTP taboola.com visitor ID string This cookie is used to collect information on a visitor. This information will become an ID string with information on a specific visitor – ID information strings can be used to target groups with similar preferences, or can be used by third - party domains or ad-exchanges Session trctestcookie HTTP taboola.com user data Detects whether partner data synchronization is functioning and currently running - This function sends Session

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 33 of 37 user data between third-party advertisement companies for the purpose of targeted advertisements. SL_C_ 23361dd035530 _KEY HTTP Smartlook Collects statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising. 13 months SL_L_ 23361dd035530 _KEY HTML Smartlook Persistent SL_C_ 23361dd035530 _SID HTTP Smartlook 13 months SL_L_ 23361dd035530 _SID HTML Smartlook Persistent SL_C_ 23361dd035530 _VID HTTP Smartlook 13 months SL_C_ 23361dd035530 _VID HTML Smartlook Persistent

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 34 of 37 4. Newsletters, e-mails You can also subscribe for our newsletter on our Website and contact us any time also regarding unsubscribing the newsletter. This latter is required to ban us collecting data on whether you opened the newsletters and e-mails we had sent you. Upon interpreting the present policy, the provisions of our data protection policy shall be applicable. 5. Individual cookies used on our website 5.1. Google Analytics: This website uses Google Analytics, a web analytics service provided by Google Inc. ("Google"). Google Analytics uses so-called "cookies", text files that are saved on your computer, to help you analyze the use of a web page that a User visits. The information generated by the cookies associated with the User's use of the Site is typically stored on a Google server in the US. By activating the IP anonymization web site, Google will shorten the User's IP address within the Member States of the European Union or other States party to the European Economic Area Agreement. The full IP address will only be forwarded to Google's server in the US and shortened there only in exceptional cases. Google will use this information on behalf of the operator of this web site to evaluate how the user has used the web site, to report web site activity to the web site operator, and to provide additional services related to the use of the web site and the Internet. Within Google Analytics, the IP address transmitted by the User's browser is not reconciled with other Google data. The User may prevent the storage of cookies by properly configuring his / her browser, however, please note that in this case, not all features of this website may be fully utilized. You may also prevent Google from collecting and processing your cookie-related information about your use of the Website (including your IP address) by downloading and installing the browser plug-in available at the following link. https://tools.google.com/dlpage/gaoptout?hl=hu 5.2. Hojtar: Website optimization is performed using Hotjar cookies, which collect data on mouse movement, click data and form states. The data is stored on Hotjar.com. During data collection, all form data (with a * character)

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 35 of 37 is masked, and no real data is recorded or stored. Hotjar's Privacy Policy can be found here: https://www.hotjar.com/legal/policies/privacy. 5.3 Google Tag Manager Google Tag Manager is a tag management system that allows you to quickly and easily update your tracking codes and related code snippets (collectively, tags) on your site and in the mobile app. 5.4. Smartlook Smartlook is a user behavior analysis tool that helps understand traffic. Smartlook records users on websites and in iOS & Android apps. https://help.smartlook.com/en/articles/3244452-privacy-policy 5.5. Facebook Pixel Facebook Pixel is an analytics tool that measures the effectiveness of your advertising activity and helps you understand people's actions on your site. Facebook's privacy policy can be found here: https://www.facebook.com/policy.php 5.6. Taboola Pixel The Taboola Pixel allows you understand the actions people take on your site and to optimize your marketing campaigns towards desired and valuable actions. When visitors on your site perform a certain action, the Taboola Pixel can be activated to report that action. https://www.taboola.com/privacy-policy 5.7. SendGrind: A cloud based service used for sending Company newsletters and marketing emails. 6. Switching off and deleting cookies You can switch off the use of cookies in most browsers. Setting this depends on the type of the browser. You can find information about switching out cookies in the “HELP” menu of your browser.

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 36 of 37 You can switch of cookies in the settings menu of your browser, in different submenus depending on the given browser.

CONFIDENTIAL Privacy Policy Ver. V1.0 from 2025.06.30 Page 37 of 37 13. Contact If you have any questions, remarks or requests regarding the present privacy policy, or you wish to make a complaint or exercise your rights set forth in Section 10, please contact us at the contact details provided in Section 2. The present privacy policy shall be in force from 01th July 2025.