Appendix 2. Effective as of December 14, 2025

DATA PROTECTION TERMS

1. APPLICABILITY

1.1 In fulfilling the requirements of EU Regulation 2016/679 of 27 April 2016 (the General Data Protection Regulation, hereinafter as “GDPR”) and in the interest of ensuring transparency in the processing of Personal Data, we hereby present information on how Flovi processes personal data.

1.2 These data protection terms ("Data Protection Terms") and the Privacy Policy of Flovi found in each country.

1.3 By accessing the Services, the Customer accepts the applicable Terms of Use and these Data Protection Terms regarding the processing of Personal Data.

2. CONTROLLER

2.1 The Controller of Personal Data is the Flovi entity responsible for the country in which the services are provided.

2.2 Flovi operates through country-specific legal entities. The identity and contact details of the applicable Controller are provided in the country-specific version of Privacy Policy.

2.3 For matters related to data processing and the exercise of rights of data subjects, the Controller may be contacted by email.

3. NATURE AND PURPOSE OF THE PROCESSING OF PERSONAL DATA

3.1 The Service enables to keep Customer’s personal records and to process Personal Data and other data in the Service.

3.2 The Personal Data will be processed by the Controller for the following purposes:
3.2.1 management of Identifiers and other necessary Personal Data to enable the use of the Service (legal basis: Article 6(1)(b) GDPR);

3.2.2 processing of data provided by the Customer in connection with vehicle relocation, used solely for the Flovi’s own purposes, in particular for the execution and management of the relocation (legal basis: Article 6(1)(b) GDPR – performance of a contract; and Article 6(1)(f) GDPR – legitimate interest of Flovi);

3.2.3 provision, development, and monitoring of customer service and communication related to the Service, constituting Flovi’s legitimate interest in ensuring high-quality Service (legal basis: Article 6(1)(b) GDPR – performance of a contract; and Article 6(1)(f) GDPR – legitimate interest);

3.2.4 collection and processing of Customer feedback and data regarding Customer satisfaction, constituting Flovi’s legitimate interest in improving Services and service quality (legal basis: Article 6(1)(f) GDPR);

3.2.5 performance of the contract concluded with the Customer, including, in particular, provision of the Service and its settlement (legal basis: Article 6(1)(b) GDPR).

4 RIGHTS OF DATA SUBJECTS

4.1 A data subject may exercise the following rights with respect to the Controller:

4.1.1 the right of access and rectification - the data subject may request information about their Personal Data and ask for any inaccurate data to be corrected (Articles 15 and 16 GDPR);

4.1.2 the right to restrict processing – the data subject may request that the Controller temporarily limit the processing of their data, for example when: the accuracy of the data is being verified; an objection to processing has been submitted and is awaiting review; the data subject believes the processing is unlawful but does not want the data deleted yet; the data is needed to establish or defend legal claims (Article 18 GDPR)

4.1.3 the right to erasure (right to be forgotten) – the data subject may request deletion of their data in the situations set out in Article 17 GDPR;

4.1.4 the right to data portability – the data subject may receive their Personal Data in a structured, commonly used, machine-readable format, or request that it be transferred to another controller (Article 20 GDPR);

4.1.5 the right to object – the data subject may object at any time to the processing of their Personal Data when such data is processed based on the Controller’s legitimate interests (Article 21 GDPR).

4.2 To exercise these rights, the Controller may ask the data subject to provide additional information necessary to verify their identity. The Controller may retain limited Personal Data related to the request only to document that it was handled in accordance with the law. Such data will be stored no longer than the relevant limitation periods, which constitutes the Controller’s legitimate interest (Article 6(1)(f) GDPR).

4.3 The data subject also has the right to lodge a complaint regarding the processing of their Personal Data with the President of the Personal Data Protection Office.

5. ADDITIONAL PROVISIONS

The Privacy Policy of the register describing Flovi’s processing activities as a data controller in more detail is available on Flovi's website https://flovi.io/pl.

6. DATA PROCESSOR

6.1 To the extent that the Customer provides Flovi with Personal Data solely for the purpose of performing a specific order, Flovi shall act as a data processor, and the processing shall take place solely on the Customer’s instructions and to the extent necessary to perform the order. The conditions of processing in this context are set out in these Data Protection Terms.

6.2 The basis for the processing of Personal Data is a contractual relationship between Flovi and the Customer, an assignment given by the Customer, consent given by the User or other factual connection.

7. CATEGORIES OF PERSONAL DATA AND DATA SUBJECTS

For the purposes indicated in Section 8, the Controller (acting as data processor) may process the following categories of Personal Data:

7.1 Identity data (such as name, title, position in the company) of the Customer, its representatives and Customer’s end-customers;

7.2 Contact details (such as address, email address, telephone number).

8. PURPOSE AND DURATION OF THE PROCESSING OF PERSONAL DATA

8.1 Personal Data may be processed in the Service for as long as the Customer has access to the Service. In its role as controller, the Customer shall specify the duration of the processing of Personal Data.

8.2 Flovi shall not disclose the Customer's and/or User's Personal Data to third parties, except to the subcontractors and service providers mentioned in Section 13.

9. FEES

Flovi shall provide reasonable assistance to the Customer in complying with its obligations as data controller under GDPR, where required. Unless otherwise agreed in writing, such assistance shall be charged in accordance with Flovi’s then current fee list and may be subject to additional fees.

10. GENERAL RIGHTS AND OBLIGATIONS IN RELATION TO THE PROCESSING OF PERSONAL DATA ON BEHALF OF THE CUSTOMER

10.1 The Customer has the right to give Flovi binding written instructions on the processing of Personal Data in the cases specified separately. Flovi shall enable the Customer to access, rectify, delete, restrict and transfer Personal Data by the Customer. Flovi shall comply with all instructions relating to the foregoing without undue delay and in any event within 14 calendar days.

10.2 Flovi shall notify the Customer if Flovi becomes aware that the Customer's instructions are in breach of GDPR.

10.3 The Customer, as controller, shall take the necessary steps to ensure that the processing of Personal Data transferred to the Service in respect of the Customer complies with GDPR.

10.4 Flovi shall provide the Customer and the User with such information as the Customer may need to fulfil the rights of data subjects, including access rights and Identifiers, or to comply with the requirements or guidance of data protection authorities. Flovi shall also assist the Customer, as necessary, in the data protection impact assessment and prior consultation with the supervisory authority.

10.5 Flovi shall promptly inform the Customer of any requests or enquiries from data subjects, data protection authorities or other authorities that relate to the Customer’s Personal Data. Flovi shall be entitled to charge these tasks in accordance with the Parties' Agreement or, if no fee has been agreed, in accordance with Flovi's fee list. Flovi shall reasonably assist the Customer in its communications with any supervisory authority, including providing information requested by the supervisory authority in accordance with the Customer's instructions. For the avoidance of doubt, Flovi may not disclose Personal Data or any other information relating to the processing of Personal Data to a supervisory authority without the express instructions of the Customer.

10.6 If the data subject requests information from Flovi in relation to the processing of Personal Data, Flovi shall forward the request to the Customer and assist the Customer in responding to the request in accordance with the requirements of GDPR. Flovi shall assist the Customer with appropriate technical and organizational measures, taking into account the nature of the processing.

10.7 Flovi shall maintain a record of all processing activities carried out on behalf of the Customer. Flovi shall, without undue delay, make the record available to the Customer in a commonly used written and electronic format at the Customer's request. The record shall contain at least the following information:

10.7.1 the name and contact details of Flovi, including, where applicable, the details of Flovi's authorized representative and data protection officer (as defined in the GDPR);

10.7.2 where applicable, the names and contact details of all subprocessors, including, where applicable, the details of their authorized representatives and data protection officers;

10.7.3 where applicable, information on the transfer of Personal Data to a third country, including information on the third country concerned and the applicable transfer basis for the transfer of Personal Data ensuring an adequate level of data protection; and

10.7.4 a general description of the technical and organizational security measures in place to ensure an adequate level of security of the Personal Data.

11. DATA SECURITY

11.1 Flovi shall take appropriate technical and organizational measures to prevent unauthorized and unlawful processing of Personal Data and to prevent accidental loss, alteration, destruction or damage to Personal Data in the Service. Appropriate technical and organizational measures include, but are not limited to:

11.1.1 pseudonymization and encryption of Personal Data;

11.1.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of the processing systems and services;

11.1.3 the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and

11.1.4 a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

11.2 In implementing appropriate technical and organizational security measures, Flovi shall have regard to relevant codes of practice, industry best practice and guidelines and directives issued or approved by supervisory authorities.

11.3 Where Flovi acts as a processor, it shall ensure that the persons who process Personal Data are bound by confidentiality obligations or are under an appropriate legal obligation of confidentiality and that the Personal Data is processed only in connection with the agreed purpose of the work.

11.4 Flovi shall notify the Customer without undue delay in writing of any data breach of Personal Data and any other event that compromises the security of the Customer's or Users' Personal Data, or where Flovi has reason to believe that the security of Personal Data may have been compromised. In any event, Flovi shall make the aforementioned notification as soon as possible after Flovi becomes aware or should have become aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data. At the Customer's request, Flovi shall provide the Customer with all relevant information relating to the data breach. Flovi shall also inform the Customer of any actions taken in response to the data breach.

11.5 Unless otherwise required by law binding Flovi, Flovi's breach notification to the Customer shall include at least:

11.5.1 a description of the nature of the data breach;

11.5.2 identification of the data that has been compromised by a data breach;

11.5.3 the data that has been compromised by a data breach includes Personal Data, a description of the categories of data subjects concerned and the total number of data subjects affected;

11.5.4 a description of the mitigating measures Flovi has taken or will take to prevent future data breaches;

11.5.5 a description of the likely consequences of the data breach; and

11.5.6 a description of the measures Flovi will take to mitigate the adverse effects of the breach.

11.6 Flovi shall document all data breaches and the related facts, effects and corrective measures taken and shall cooperate with the Customer and ensure that the Customer has the information and documentation required by GDPR available.

12. LOCATION OF PERSONAL DATA

12.1 Flovi is entitled to freely transfer Personal Data within the EU/EEA for the purpose of providing the Service. Flovi is also entitled to transfer Personal Data outside the EU/EEA in accordance with GDPR.

12.2 The Customer has the right to obtain from Flovi information about which service providers Flovi uses to store Personal Data and whether the data storage facilities are located within or outside the EU/EEA. The service providers are listed on Flovi's website.

12.3 If Personal Data is transferred outside the EU/EEA, each Party shall ensure compliance with GDPR with respect to the processing of Personal Data. Transfers shall only be made to countries that the European Commission has recognized as providing an adequate level of data protection or if no adequacy decision exists, transfers shall be subject to appropriate safeguards, such as the Standard Contractual Clauses (SCCs) or other valid transfer mechanism under GDPR.

12. 4 Flovi shall Provide the Customer, upon request, with copies of relevant safeguards (e.g., signed SCCs or relevant contractual terms) subject to redactions where necessary to protect business confidentiality.

13. USE OF THIRD PARTIES FOR DATA PROCESSING

13.1 Flovi may engage another data processor as a subprocessor for the processing of Personal Data. Flovi may engage new or replace existing subprocessors in the course of providing the Services. Flovi shall notify the Customer of any intended changes concerning the addition or replacement of subprocessors.

13.2 If the Customer does not object to such change in writing within thirty (30) days of receiving the notification, the Controller shall be deemed to have accepted the change. Continued use of the Services after this period shall constitute acceptance of the new or replaced subprocessor.

13.3 If the Customer objects to the change within this period and the Parties are unable to reach a mutually acceptable resolution within thirty (30) days, either Party shall have the right to terminate the Agreement by giving written notice, without liability (except for fees accrued up to the date of termination).

13.4 Where Flovi uses a subprocessor to process Personal Data, the following conditions shall apply:

13.4.1 the said assignment is governed by a written agreement; and

13.4.2 the written agreement shall oblige the subprocessor to comply with the same obligations and commitments that apply to Flovi under this Agreement and GDPR, and grants the Customer the same rights vis-à-vis the subcontractor as those that the Customer has vis-à-vis Flovi.

13.5 Flovi shall be liable for the acts and omissions of any of its subprocessors in relation to the Customer.

14. DELETION AND RETURN OF PERSONAL DATA

14.1 During the term of the Agreement, Flovi shall not delete any Personal Data stored by the Customer or User in the Service without the express written request of the Customer or User.

14.2 Upon termination of the Agreement, Flovi shall, at the Customer's option, either delete or return to the Customer all Personal Data stored in the Service on behalf of the Customer and delete all copies thereof, unless Flovi is required by law to retain the Personal Data or the Customer does not request the deletion or return of the Personal Data stored by the Customer or the User, Flovi shall retain the Personal Data stored by the Customer and Users in the Service for six (6) months after the termination of the Agreement, after which Flovi shall delete all copies thereof, unless the law requires Flovi to retain the Personal Data or part thereof for a longer period.

15. AUDYTY

15.1 The Customer or an auditor authorized by the Customer shall have the right to audit Flovi's processing of Personal Data in order to assess Flovi's compliance with GDPR and its obligations under these specific terms in relation to the processing of Personal Data.

15.2 Flovi guarantees the Customer the rights to audit Flovi as required by the GDPR.

15.3 Any audit by the Customer shall be without prejudice to Flovi's obligations and responsibilities under these specific terms or the Agreement.

15.4 The Customer shall bear its own costs of any audit required by it and the costs of any external auditor(s) it chooses. If the audit identifies material data security risks or breaches of these terms or GDPR, Flovi shall bear its own costs, otherwise the Customer shall bear such costs.

16. LIABILITY AND LIMITATIONS OF LIABILITY

The provisions of the Flovi’s General Terms and Conditions regarding liability and limitations of liability shall apply to these Data Protection Terms.