This TWave Privacy Policy (**the** "**Privacy Policy"**) therefore intends to inform you about how TWAVE, SL, acting as data controller, collects and processes your personal data that you submit or disclose to us. We process this personal data in accordance with the applicable EU and Member State regulations on data protection in particular, the General Data Protection Regulation No 2016/679 (the "GDPR").

The following sections of this Privacy Policy describe the types of personal data we collect, how and for what purposes we use that personal data, with whom we share it, and the choices and rights available to you regarding our use of your personal data. We also describe the measures we take to protect the security of the personal data we hold and how to contact us about our privacy practices, and to exercise your rights.

We encourage you to read this Privacy Policy carefully. If you do not wish your personal data to be used by us as set out in this Privacy Policy, please do not provide us with your personal data. Please note that in such a case, we may not be able to provide you with our services, you may not have access to and/or be able to use some features of the Website, and your customer experience may be impacted.

Who is the data controller?

TWAVE, SL, with CIF B-74377821 and adress in Parque Empresarial de Asipo, Calle Secundino Roces Riera 1, 2º Puerta 8. 33428 Llanera, Asturias ("TWAVE", "us" or "we") is the data controller and recipient for personal data processed under this Data Privacy Policy and is as such responsible for ensuring that the processing is conducted in accordance with applicable legislation.

How do we use your personal data?

We will always process your personal data based on one of the legal basis provided for in the GDPR.

We may collect and process your personal data for the purposes detailed below, which are required so that we can pursue our legitimate interests and provide you with adequate products and services:

• to provide, improve, and develop our products and services, in particular, to provide TCLOUD Services through our Platform to you.
• to notify you about changes to our products or services.
• to manage your account and contact requests from you.
• to inform you about our policies and terms;
• to use personal information for purposes such as business administration, data analysis, research, and audits;
• to comply with our legal obligations, to enforce our legal rights or to protect rights of third parties.

The use of personal data is necessary for us to provide TCLOUD Services to You. This means that you cannot object to us processing your personal data altogether and still require us to provide our services to you.

However, you are entitled to object to certain use of your personal data, and to opt-out of some kinds of processing.

Subject to obtaining your express prior consent, we may also collect and process your personal data for the following purposes:

• to make marketing advertisements in relation to our services;
• to provide you with information which we feel may be of your interest;
• for any other purposed for which we wish to use your personal data that are not listed in this Privacy Policy.

Please be aware that you are entitled to withdraw your consent at any time, and this without affecting the lawfulness of processing based on your consent before withdrawal thereof.

We will process your data for these specified, explicit and legitimate purposes, and will not further process the data in a way that is incompatible with these purposes. If we intend to process personal data originally collected for one purpose in order to attain other objectives or purposes, we will ensure that you are informed of this. We will keep your personal data for as long as it is necessary for us to comply with our legal obligations, to ensure that we provide an adequate service, and to support its business activities.

What types of personal data do we use?

For the purposes specified under this Privacy Policy, we need to collect categories of personal data that are necessary to achieve the purposes, as described above and further detailed specifically when data is collected.

We can obtain such personal data either directly from you when you decide to communicate such data to us (i.e., when you sign up for and use our TCLOUD Services or when you fill in forms displayed on our Website) or indirectly where such personal data is provided to us by your electronic communication terminal equipment or your Internet browser. We ensure that the personal data processed is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

How do we share your personal data?

We do not sell, otherwise disclose, or share data we collect and hold about you, except as described in this Privacy Policy.

We may share your personal data with third parties as described below:

• to our affiliated companies, which may use this data to offer products and services to you consistent with the purposes identified in this Privacy Policy;
• to third party service providers who have been appointed as data processors to perform functions and services on our behalf and who will be provided only with personal data necessary to perform the services on our behalf but are not authorised by us to use such data for any other purposes (e.g. administrative/operational services, hosting services, information technology systems,...);
• to our advisors and insurers in the event of a claim, dispute or where otherwise necessary;
• if we are required to do so by law or pursuant to legal process or to comply with any applicable rules or regulations.

Data Trasnfers

We may transfer personal data we have collected from you to a third party data processors located in countries outside the European Economic Area (EEA). When we transfer your data to other countries, we will protect the data as described in this Privacy Policy and comply with applicable legal requirements providing adequate protection for the transfer of data to countries outside the EEA.

We will only transfer your personal data if:

• the country to which the personal data will be transferred has been granted a European Commission adequacy decision;
• the recipient of the personal data is located in the US and has certified to the US-EU Privacy Shield Framework; or
• we have put in place appropriate safeguards in respect of the transfer, for example we have entered into EU standard contractual clauses with the recipient, or the recipient is a party to binding corporate rules.

How we protect your personal data

We maintain administrative, technical and physical safeguards designed to protect the personal data you provide against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use. Service providers and contractors who might have access to your data in order to provide services on our behalf will be contractually obliged to keep such data in confidence, provide adequate data security measures, and may not use that data for any other purpose.

Our cloud infrastructure service providers AWS have signed the CISPE Data Protection Code of Conduct. CISPE Code of Conduct provides a framework to ensure that the data processing activities carried out by Cloud Infrastructure Service Providers (CISPs) are compliant with the current Data Protection Directive and the General Data Protection Regulation (GDPR)

How long will your personal data be retained by us?

We will retain your personal data only for as long as is necessary. We maintain specific records management and retention policies and procedures, so that personal data are deleted after a reasonable time according to the following retention criteria:

• We retain your data as long as we have an ongoing relationship with you (in particular, if you have a user account with us).
• We will only keep the data while your account is active or for as long as needed to provide services to you.
• We retain your data for as long as needed in order to comply with our global legal and contractual obligations.

Which rights do you have with respect to the processing of your personal data?

You are entitled (in the circumstances and under the conditions, and subject to the exceptions, set out in applicable law) to:

• Request access to the personal data we process about you: this right entitles you to know whether we hold personal data about you and, if we do, to obtain information on and a copy of that personal data.
• Request a rectification of your personal data: this right entitles you to have your personal data be corrected if it is inaccurate or incomplete.
• Object to the processing of your personal data: this right entitles you to request that TWAVE no longer processes your personal data.
• Request the erasure of your personal data: this right entitles you to request the erasure of your personal data, including where such personal data would no longer be necessary to achieve the purposes.
• Request the restriction of the processing of your personal data: this right entitles you to request that TWAVE only processes your personal data in limited circumstances, including with your consent.
• Request portability of your personal data: this right entitles you to receive a copy (in a structured, commonly used and machine-readable format) of personal data that you have provided to TWAVE, or request TWAVE to transmit such personal data to another data controller.

To exercise your rights as set out above or to make a complaint or submit an inquiry about our privacy practices, please contact us at info at twave.io

Updates to our Privacy Policy

This Privacy Policy may be updated periodically and without prior notice to you to reflect changes in our processing of your personal data and privacy practices. We will post a prominent notice on our website to notify you of any significant changes to our Privacy Policy and indicate at the top of the Privacy Policy when it was most recently updated.

How to contact us?

If you have any questions or comments about this Privacy Policy, or would like further information, or to exercise your rights (as detailed above) we would ask you to first contact at TWAVE,SL, Parque Empresarial de Asipo, Calle Secundino Roces Riera 1, 2º Puerta 8. 33428 Llanera, Asturias Asturias, or by email at info\@twave.io

In the unlikely event that you wish to lodge a complaint about our collection, transfer or processing of your personal data, you can lodge a complaint with the Agencia Española de Protección de Datos which is the Public Supervisory Authority of TWAVE, SL or the Supervisory Authority in your country of residence.