Identification of the administrator: FABIS Digital SE, ID No.: 21989117, with registered office at Rohanské nábřeží 678/23, Karlín, 186 00 Prague 8, file number H 2694, registered at the Municipal Court in Prague ("we").

Contact details of the administrator: podpora@fabis.cz

Contact details of the Data Protection Officer: dpo@fabis.io

In this document we will inform you about how we process your personal data, the purposes of the processing, the lawfulness of the processing, the storage period or your rights in relation to the processing of personal data. The processing of personal data is carried out in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR").

This document serves as an information document within the meaning of Articles 13 and 14 of the GDPR and is intended for our FABIS platform available on the website: www.fabis.cz ("Platform").

In operating the Platform, we act in two roles. In the first, we are the data controller, i.e. we determine the purposes and means of processing, in particular in connection with the creation of the main user account on the Platform, in connection with billing, the protection of our own rights, the storage of cookies and the provision of related activities. In the second role, we act as data processors. Our Platform is a comprehensive educational venue and documentation management system, and we act as a data processor in relation to data that is entered into the Platform specifically to support these activities (for example, about your employees). We will very rarely take on the role of controller for this personal data, particularly in connection with legal obligations that fall on us.

In this document, you will learn how we handle personal data as data controllers.

A. SCOPE OF PERSONAL DATA

If you choose to register a user account on the Platform, or if we do so on your behalf, for example, we will obtain personal data from you that is related to the performance of the mutual contractual relationship. The Platform is designed as a B2B platform, however, in the course of the mutual contractual relationship, personal data will also be processed, which we have divided into the following categories for clarity:

• Identification data, which are your name and surname, the name of the company you represent, the position in the company you hold;

• Contact details, which are your email address and telephone number. Your e-mail address is important to us, because it is through e-mail that we will communicate together and that the contractual relationship will be ensured and implemented. However, in addition, email may be used for other purposes as set out later in this document;

• Billing data, which is the registration number, address, VAT number and, if applicable, other necessary data for the fulfilment of legal obligations (these data will be registered to you as the contact person, therefore they are listed as personal data);

• Payment Data, which is the account number, bank details, payment card number (if entered into the Platform via a payment gateway, and we never store specific payment card information beyond what is provided to us by the payment gateway provider);

• Information related to the operation of the Platform, which includes your IP address, Platform browsing data, system information, resolution;

• Data entered into the Platform, whereby we act as data processors in relation to such personal data. A specific list of data is available in the processing terms available in the Platform's terms and conditions. However, in connection with the performance of certain legal obligations in accordance with Article 28(3)(g) of the GDPR, such personal data may be stored. The details are described below;

• Information about your courses embedded in the Platform (EDU module), which includes the course title, description, data related to the course, user ratings of the course, categories, etc.;

• Information from the contact form or communication with each other, provided that you choose to provide us with additional information via the contact form or in the course of communicating with us;

• Cookie data, i.e. data obtained from cookies and similar technologies that we use. Specifically, this includes analytics data and identifiers associated with third party cookies that are deployed on the Platform. More detailed information on the processing of cookies is available later in this document.

We will process this personal data about you in connection with the operation of your administrator account on the Platform, the provision and performance of contractual obligations and the provision and performance of other purposes as described below. The provision of personal data (to the extent required upon registration) is a necessary part of the performance of the contractual relationship. Without the provision of such data, it will not be possible to create a user account and thus enter into a contractual relationship (which arises whether as part of a trial version, a paid version or a physical contractual relationship).

B. PURPOSES OF PROCESSING PERSONAL DATA

We will process personal data for the following purposes, and we have categorised the purposes according to the type of interaction with you.

In connection with a registered account on the Platform

B.1 Provision of services and functionalities of the Platform

Whether you choose to register an account on the Platform yourself by clicking the sign-up button or we create a user account for you on the Platform as part of an agreed collaboration, we will process personal data specifically for the purpose of implementing the contractual relationship thus established. The contractual relationship is established either by concluding a mutual contract or by confirming the terms and conditions and registering on the Platform. Personal data for this purpose will be processed in particular for the registration of the contractual relationship, the implementation of the individual rights and obligations arising from the contractual relationship, the provision of mutual communication, the resolution of any problems, the implementation of payments and the provision of service obligations. At the same time, the registration of the activity in the Platform is also related to this purpose, in order to evaluate the remuneration well in particular. As part of this purpose, we also use your personal data for the purposes of pre-contractual negotiations, background research, etc.

For this purpose, we process your Identification Data, Contact Data, Billing Data, Payment Data, Information related to the operation of the Platform Information from the contact form or mutual communication (if related to the contractual relationship implemented), Information about your courses entered into the Platform.

The legal basis for this processing is the performance of the contract between you and us and the need to take action at your request before entering into the contract or, where you are not directly party to the contract (if you are, for example, an employee of the customer), our legitimate interest in the performance of any contract entered into, to the extent necessary to identify the contact and responsible person for the customer's actions.

The data is processed for the duration of the contract entered into and for the period necessary for the performance of the obligations under such contract.

B.2 Ensuring communication

We may also process your personal data in the absence of a mutual contractual relationship, if you choose to contact us via the contact form on the Platform or otherwise establish communication with us. In this case, we will process your personal data in order to ensure mutual communication and to provide answers to your questions.

For this purpose, we process your Identification Data, Contact Data, Information from the contact form or mutual communication.

The legal basis for this processing is our legitimate interest, which is to ensure mutual communication.

For this purpose, the personal data will be stored for the time necessary to process the communication. Alternatively, it may also be stored for other purposes as set out in this document, for example, provided that a contract is subsequently concluded or it is necessary for the protection of our own legal interests.

B.3 Protection of own legal interests and settlement of any disputes

In connection with the performance of a contractual relationship on the Platform, it is also related that claims and other demands may arise from customers, users of the Platform and other entities during the contractual relationship or after the termination of the contractual relationship. These claims may include claims where we need to store your personal data in order to protect ourselves appropriately. For this reason, to protect our own legal claims, we will process your personal data.

For this purpose, we process your Identification Data, Contact Data, Billing Data, Payment Data, Information related to the operation of the Platform Information from the contact form or mutual communication (if related to the contractual relationship implemented), Information about your courses entered into the Platform (in the case of the EDU module).

The legal basis for this processing is our legitimate interest in keeping internal records, statistics and the protection of our rights. The data is processed for as long as you can exercise your rights, if applicable, or for as long as we can use the data for our own protection. This period is most often set to the extent that the statute of limitations runs, which can be up to 10 years. However, in the case of a pre-existing dispute or claim, this period will be set proportionately for the duration of such proceedings.

B.4 Compliance with legal obligations

If you use the paid version of the Platform, we collect financial remuneration for the operation of the Platform. In this context, we may also process your personal data in order to comply with our legal (statutory) obligations, at the same time we need to be prepared to provide assistance to public authorities if we are required to do so by law. The legal regulations that we have to follow in particular when operating the platform are the Accounting Act, tax regulations (income tax, VAT).

For this purpose, we process your Identification Data, Contact Data, Invoicing Data, Payment Data (all to the extent required by specific legislation).

The legal basis for this processing is the performance of our legal obligations. The data is processed for the period of time required by law, which in the area of accounting and tax is 5-10 years (depending on the type of documents).

B.5 Ensuring obligations related to mechanisms for taking action for illegal content

In accordance with Regulation (EU) 2022/2065 of the European Parliament and of the Council ("DSA"), we are obliged as Platform Providers to put in place mechanisms to enable entities to report the occurrence of information that may be considered illegal content. At the same time, we must take measures to remove illegal content and, when requested by administrative authorities, hand over the requested information. In this context, we will process personal data to the extent specified in Article 7 of the Terms of Use of the Online Marketplace, which is part of the Platform's Terms and Conditions.

The purpose of the processing is to ensure due diligence for a transparent and secure online environment in relation to the content that may be posted on the Platform by other users, in relation to the courses posted, comments under these courses, etc. within the EDU module. This purpose includes precisely the adoption of mechanisms that ensure that notifications of suspected illegal content are received, evaluated and acted upon and shared with the administrative authorities.

The legal basis for the processing of your personal data is primarily the performance of legal obligations within the meaning of Article 6(1)(c) GDPR, to the extent required in particular by Article 15(3) DSA, Article 16 DSA. However, personal data will also be processed for the performance of tasks carried out in the public interest pursuant to Article 6(1)(e) of the GDPR, to the extent that the DSA does not specify what personal data are to be processed, in particular in connection with the assessment of the illegality of content, the transmission of information to the administrative authorities, informing about the identity of the whistleblower, and other activities related to the performance of obligations under the DSA.

The DSA sets out a precise time limit for the processing of personal data, whereby personal data will be stored for a period of 5 years in connection with the performance of the obligations under the DSA, in connection with a possible period for the imposition of a sanction.

B.6 Sending commercial communications

We may also use your personal data to send you newsletters and similar commercial communications, subject to the rules set out below.

For this purpose, we process your Identification Data (if known) and Contact Data.

The legal basis for the processing is twofold, depending on how you are included in our newsletter list.

If you have registered on the Platform and created an account, a contractual relationship is created between you and us. In this case, you are therefore our customers and will be included in the newsletter list on the basis of our legitimate interest, which consists of direct marketing.

If you have chosen to subscribe to the newsletter using a separate newsletter form, the legal basis for this processing is your consent to receive commercial communications, which you have just given by clicking on the subscription button.

We will process your personal data until you have opted out of sending us commercial communications, which you can do in each individual email. This is either to object to direct marketing or to withdraw consent (whereby withdrawal of consent does not affect the lawfulness of processing prior to withdrawal).

Processing related to the use of the Platform as such

B.7 Operation of the Platform and its security (necessity)

We process your personal data for the operation of the Platform and its security, i.e. for the presentation of information on the Platform, the functioning of the application parts, the internal functioning of the Platform, and for ensuring your security.

For this purpose, we process your Information related to the operation of the Platform and Cookie Data.

The legal basis for this processing is our legitimate interest in the proper functioning and secure operation of the Platform. The Data is generally processed for the duration of your visit to the Platform, but at most for a period of 1 year after it is collected.

B.8 Analysis of Platform traffic (analytics)

However, in addition to the operation of the Platform, we may also process personal data and other data in connection with analytics activities on our Platform.

Our Platform uses "cookies" and other technologies that store small amounts of data on your computer or device to enable the collection of statistical information from your web browser. Cookies are commonly used on the Internet and allow a website/portal to recognize a user's device without uniquely identifying the individual person using the computer. These technologies assist us in identifying important information to further improve the Platform and tailor it to your needs. As part of this purpose, we may monitor traffic to the Platform, obtain important information about your use of the Platform and your preferences, optimize the Platform and generally make your visit to the Platform more user-friendly.

With your consent granted via the cookie bar, we may process Cookie Data for this purpose to facilitate more detailed analyses of your visits to the Platform (analytical cookies), in which case your personal data may also be transferred to third parties. Specifically, Google Analytics and Microsoft Clarity are deployed on the Platform.

Personal data is processed until your consent is withdrawn, but in any case for no longer than the period indicated for each cookie. The specific storage period may vary according to the different types of tools and cookies that are deployed on the Platform.

C. SHARING OF PERSONAL DATA

We process the above personal data as so-called data controllers. Thus, we determine the purposes and means of processing. We are the ones who decide what personal data we require from you when registering for the Platform, ensuring the execution of the contractual relationship, protecting our legal interests, etc.

However, other external entities, called recipients of personal data, to whom we transfer personal data (whether for legal or other reasons) may also participate in the processing. Specifically, these are:

• Individual users of the Platform, if you have published a course or assessment on the Platform (EDU module);

• Google Ireland Limited in relation to Google Workspace and Google Analytics, where shared to the US, the company is registered with the Data Privacy Framework;

• Microsoft Corporation, providing the Microsoft Clarity tool. In the case of sharing to the US, the company is registered with the Data Privacy Framework;

• Amazon Web Services EMEA SARL, which provides storage of personal data;

• Pipedrive OÜ, the company providing the CRM system;

• the company providing the Platform solution, which is Contember Limited;

• SMS gateway provider ZooControl Ltd;

• the DNS management company Cloudflare, Inc., which is registered with the Data Privacy Framework;

• the integration company Celonis, Inc.;

• the storage company Hetzner Online GmbH;

• the support company Intercom, Inc;

• the company providing documented development, which is Linear, Inc;

• the billing companies Stripe, Inc. and Fakturoid Ltd;

• an accounting services company, Dype Ltd;

• the accounting system provider ABRA Software a.s.;

• companies providing email services, which are ActiveCampaign, LLC, a company registered under the Data Privacy Framework, and SmartSelling a.s. for email marketing;

• a company providing telecommunication services, which is CloudTalk s.r.o.;

• a company providing a document management and project management application, which is Mango Technologies, Inc.

Where we share your personal data with controllers and processors in third countries (outside the EEA), we only do so where these parties meet the sufficient safeguards set out in Article 44 et seq. of the GDPR.

D. YOUR RIGHTS IN PROCESSING AND THE POSSIBILITY OF EXERCISING THEM

You have the right to (i) request access to your personal data; (ii) withdraw your consent; (iii) request the rectification of your personal data; (iv) request the erasure of your personal data; (v) request the restriction of the processing of your personal data; (vi) request the portability of your personal data; (vii) object to the processing of your personal data; or (viii) lodge a complaint with the relevant supervisory authority.

For all issues related to the processing of your personal data, whether it is a question, exercise of rights, sending a complaint to us, etc., you can contact us via the email address provided at the beginning of this document.

D.1 Right of access

You have the right to obtain confirmation from us as to whether or not we are processing your personal data.

If we do process your personal data, you also have the right to request access to information about the purpose and scope of the processing, the recipients of the data, the duration of the processing, the right to rectification, erasure, restriction of processing and to object to processing, the right to lodge a complaint with a supervisory authority and the sources of the personal data (this information is already provided in this document).

You can also ask us for a copy of the personal data we process. We provide the first copy free of charge, others may already be subject to a fee. The scope of the data provided may be limited so as not to interfere with the rights and freedoms of others.

D.2 Right to withdraw consent

You have the right to withdraw your consent to the processing of personal data at any time. However, the withdrawal of consent does not affect the lawfulness of the processing prior to the granting of such consent, nor does it lead to the termination of the processing of personal data that has already been anonymised.

D.3 Right to rectification

You have the right to request us to correct inaccurate personal data concerning you. Depending on the purpose of the processing, you may also have the right to have incomplete personal data completed, including by providing an additional declaration.

D.4 Right to erasure (right to be forgotten)

You have the right to request the erasure of your personal data where:

• We no longer need your personal data for the purposes for which they were collected or processed;

• you withdraw the consent on the basis of which the personal data was processed and there is no further reason for processing it:

• you object to processing and there are no other overriding reasons for processing, or you object to processing for direct marketing purposes;

• the personal data are processed in breach of the law.

However, you cannot exercise this right if the processing is necessary for compliance with our legal obligations or for the performance of tasks entrusted to us in the public interest or for the establishment, exercise or defence of legal claims.

D.5 Right to restriction of processing

You have the right to request restriction of the processing of your personal data where:

• you contest the accuracy of your personal data; in this case, you may request the restriction of processing until the accuracy of the personal data has been verified;

• the processing is in breach of the law and instead of erasure you request restriction of the processing of your personal data;

• We no longer need your personal data for the purposes for which it was collected or processed, but you require it for the establishment, exercise or defence of legal claims;

• you have objected to the processing of your personal data; in this case, you may request a restriction of processing pending verification that our legitimate interests prevail.

D.6 Right to portability

You have the right to obtain a copy of your personal data that we process by automated means on the basis of your consent or for the performance of a contract. We will transmit this data in a commonly used and machine-readable format to you or to a controller designated by you, if technically feasible. The scope of the data provided may be limited so as not to interfere with the rights and freedoms of others.

D.7 Right to object

You have the right to object to the processing of your personal data that we process on the basis of our legitimate interest. We will stop processing your data if there are no other overriding reasons for the processing or if the processing is not necessary for the establishment, exercise or defence of legal claims or if you object to processing for direct marketing purposes.

E. RIGHT TO LODGE A COMPLAINT

In addition to the possibility of exercising your rights with our company, you can also file a complaint with the competent supervisory authority, which is the Office for Personal Data Protection located at Pplk. Sochora 27, 170 00 Prague 7.

F. CHANGES TO THIS PROCESSING INFORMATION

We are entitled to change this processing information from time to time, so please check it regularly. We will post any changes to this document on our Platform.

Validity of the document from: 1.9.2025