Data Privacy Policy of QPLIX GmbH

Version: 13 April 2026

This English version isprovided for convenience only. In the event of any discrepancy between theGerman and the English version, the German version shall prevail.

1. Controller and DataProtection Officer
‍The controller responsiblefor the processing of personal data within the meaning of the General Data Protection Regulation (GDPR) is:

‍QPLIX GmbH
Managing Directors: Mathias Lindermeir, Kai Linde, Philipp Pötzl
Nußbaumstraße 12, 80336 Munich, Germany
Tel: +49 89 998 2716-0
E-mail: info@qplix.com
Local Court (Amtsgericht) Munich, HRB 200052

‍Data ProtectionOfficer:
Mr Markus Bischof
QPLIX GmbH, Nußbaumstraße 12, 80336 Munich, Germany
Tel: +49 89 998 2716-0

2. Principles of DataProcessing
QPLIX processes personaldata in accordance with applicable law, in particular the General DataProtection Regulation (Regulation (EU) 2016/679 – "GDPR") and theGerman Federal Data Protection Act (Bundesdatenschutzgesetz –"BDSG"). Personal data of customers, end users and prospectivecustomers (hereinafter "Customer Data") is processed by QPLIX inprinciple only for the following purposes:
‍
- Pre-contractual measures and contract performance: Implementation of pre-contractual measures and fulfilment of contractual obligations towards the relevant customer or end user, as described in the Terms of Use for End Users (Article 6(1)(b) GDPR).
‍
- Legal obligations: Compliance with statutory obligations, in particular regulatory requirements (Article 6(1)(c) GDPR).

- Legitimate interests: Processing for the purpose of safeguarding legitimate interests of QPLIX, for example the creation of anonymised analyses for the improvement of services, receivables management, legal defence, or direct marketing of QPLIX's own services (e.g. newsletters), provided that the interests, fundamental rights or fundamental freedoms of the data subject do not override such interests (Article 6(1)(f) GDPR). Insuch case, the data subject has the right to object.
‍
- Consent: Processing for purposes other than those set out above, or disclosure to third parties, shall only take place on the basis of duly obtained consent from the data subject (Article 6(1)(a) GDPR).

3. Disclosure of Datato Third Parties
As a general principle,QPLIX does not disclose Customer Data to third parties. By way of exception,disclosure is made to third parties contractually bound to observe dataprotection and data security obligations, to the extent required for thepurposes set out in Section 2. Such recipients include in particular:
‍
- QPLIX employees acting within the scope of their duties;
- external service providers (e.g. IT service providers, account information services engaged by QPLIX);
- operators of end-user applications based on QPLIX services;
- account-holding and custody institutions.

Disclosure is in each caselimited to what is necessary for the fulfilment of the relevant purpose.

4. Retention Period andDeletion
‍QPLIX retains personalCustomer Data for as long as this is necessary for the fulfilment ofcontractual or statutory obligations. As the business relationship is typicallyintended to be long-term, commercial, tax and regulatory archiving,documentation and retention obligations with retention periods generallyranging from two to ten years apply following the end of the contractualrelationship.

After expiry of theseperiods, data will be deleted unless continued (time-limited) processing isrequired for the preservation of evidence within statutory limitation periods(up to 30 years) and QPLIX has an overriding legitimate interest in the retention(Article 6(1)(f) GDPR).

5. Rights of DataSubjects
5.1 General DataProtection Rights
Data subjects have thefollowing rights:
‍
- Right of access (Article 15 GDPR)
- Right to rectification (Article 16 GDPR)
- Right to erasure (Article 17 GDPR)
- Right to restriction of processing (Article 18 GDPR)
- Right to data portability (Article 20 GDPR)
- Right to object (Article 21 GDPR)

5.2 Withdrawal of Consent
Where data processing isbased on consent, such consent may be withdrawn at any time with effect for thefuture. The lawfulness of processing carried out on the basis of consent priorto its withdrawal shall remain unaffected.

5.3 Exercise of Rights and Identity Verification
For the exercise of certainrights of objection or withdrawal, links or buttons may be provided whereapplicable; the data subject will be informed of this in the relevant context.In addition, data subjects may contact the Data Protection Officer at any time(contact details see Section 1).
In order to processrequests, it may be necessary for the data subject to provide his or her fullfirst and last name, current (and where applicable former) address, date ofbirth and e-mail address. This information serves to verify the identity of thedata subject and thus to protect the data subject against unauthorised accessby third parties. In addition, any offer, reference or contract numberscommunicated by QPLIX would be helpful, though not required, to enable fasteridentification of the relevant data.
The right of access and theright to erasure are subject to the limitations set out in Sections 34 and 35of the German Federal Data Protection Act (BDSG). Furthermore, full or partialfulfilment of data protection rights may be limited in individual cases byother statutory provisions or by legitimate interests of QPLIX.

5.4 Right to Lodge a Complaint
Data subjects have the rightto lodge a complaint with the competent data protection supervisory authority.The supervisory authority responsible for QPLIX is:

Bavarian State Office for Data Protection Supervision (Bayerisches Landesamt für Datenschutzaufsicht –BayLDA)
Promenade 18, 91522 Ansbach, Germany
Tel: +49 981 180093-0
E-mail: poststelle@lda.bayern.de
Web: www.lda.bayern.de

6. Note on the Provision of Personal Data
There is generally nostatutory or contractual obligation on the part of the data subject to providepersonal data prior to entering into a contractual relationship. However,without the necessary data, QPLIX will not be in a position to conclude the contractand provide the contractually agreed services.

7. Use of Cookies andTracking Technologies
To the extent that QPLIXuses cookies or similar technologies in connection with the provision of the Account Information Service (Kontoinformationsdienst), this is done exclusivelyto the extent technically necessary for the proper functioning of the service(so-called technically necessary cookies). Any tracking or use of analyticscookies beyond this scope shall only take place with the express consent of theend user.