Read

Privacy Policy

I. INTRODUCTION

The security and proper use of personaldata are of utmost importance to our customers, as well as to J POINTGROUP LTD and its employees, partners, subcontractors, and owners.Therefore, it is important for us that all parties involvedunderstand why and how we process their personal information.

This Personal Data Policy isinextricably linked to the General Terms and Conditions of J POINTGROUP LTD, but is not part of them. It does not regulate rights andobligations, but aims to explain to customers, employees, partners,subcontractors, and owners of J POINT GROUP LTD. what personal datawe process in connection with the provision of our services and goods(e.g., printing of advertising visuals, media, business cards,flyers, brands, boards, etc.), why and how we process them, includingwhen it is necessary to disclose personal data to third parties, aswell as in connection with the implementation of the company'soverall commercial and business activities. It also providesinformation about the rights that all affected parties have inrelation to the processing of personal data by J POINT GROUP LTD.

This Privacy Policy applies to personaldata that J POINT GROUP LTD collects and processes in connection withthe products and services provided by the company. It also applieswhen customers visit J POINT GROUP LTD websites or use the company'svarious social media pages. In these cases, the collection andprocessing of personal data is carried out in accordance with thepersonal data policy (and/or cookie policy) for the respective socialnetwork or application, which the company administering and owningthe rights has adopted and implemented.

For greater clarity and convenience forcustomers, many places in this Privacy Policy provide examples thatillustrate why and/or how J POINT GROUP LTD processes personal data.These examples are not part of this Privacy Policy, but are onlyillustrative and not exhaustive. Their sole purpose is to clarify andassist all parties in understanding our privacy policy.

II. DEFINITIONS

1. PERSONAL DATA

In practice, this is any informationthat identifies a specific natural person or that relates to anatural person who can be identified directly or indirectly. Thetypes of personal data covered by this Policy are: basic data; dataon website usage; location data when IP is used for analysis of usageon the company's websites; data provided when entering into acontract; contract data; obligation data; payment data; customercommunication data.

2. BASIC DATA

Full name; address; gender; age;telephone number; email address; data on sessions on the company'swebsite, including IP addresses, type of connection (email, etc.),start and end of the session, volume of downloaded and uploaded data,connection speed, etc.

2. Data provided upon conclusion of acontract. Personal data that our customers need to provide to J POINTGROUP LTD. in order to conclude contracts for the provision ofservices. The provision of such data is voluntary, but without it, JPOINT GROUP LTD cannot conclude the contract and fulfill itsobligations under it.

Such data for concluding a contractare: names of the customer, natural person; unified civil number (forBulgarian citizens); personal number (for foreign persons); address(the customer may provide, voluntarily and at their discretion, anaddress for receiving invoices, if different); data from an identitydocument (this data is not stored by J POINT GROUP LTD, but is usedto verify the validity of the document and the identity of the personconcerned); data on the representative (if the contract is concludedby a representative) and on their power of attorney.

Contract data – type of contract(e.g., manufacturing contract, additional agreement, leasingcontract, rental contract, credit contract, etc.); contract numberand date of conclusion; date of entry into force and term of thecontract; term; customer number; email address for the @invoiceservice (electronic invoice, if provided by the customer); telephonenumbers provided; goods provided – type, brand, model, uniquenumber; contract price and terms; date selected by the customer forissuing invoices; amount of monthly/rental lease payments (forlease/rental contracts); repayment plan (for lease/credit contracts);rights and obligations of the parties; information about thecommercial premises where the goods are installed or the services areprovided or delivered, etc.

Data on obligations – this is data onthe obligations of customers in connection with contracts concludedwith J POINT GROUP LTD. and services provided. Such data includes:information on issued invoices – date, number, due date, amountsdue, etc.; information about previous and current obligations;information about accrued penalties; information about warningmessages or letters sent in connection with customer obligations;information about deferral or rescheduling of customer obligations;information about termination of contracts due to non-payment ofliabilities; information about actions taken for out-of-court orjudicial collection of customer liabilities, etc.; information abouttransfer (assignment) of amounts due.

3. PAYMENT DATA

This is data aboutcustomer payments related to contracts with J POINT GROUP LTD. Thisdata includes: type of payment (e.g., payment of an invoice; date ofpayment; place of payment (e.g., a location other than the registeredoffice of J POINT GROUP LTD., a partner's location, etc.); amountpaid and obligation to which the payment relates; method of payment(e.g., cash, debit or credit card, direct debit, etc.); debit/creditcard information, bank account number, or other banking/paymentinformation (for cashless payments).

Data processed inconnection with communication between J POINT GROUP LTD and itscustomers in the form of inquiries, complaints, applications,requests, or customer complaints, when conducting satisfactionsurveys, during calls/messages related to the services used, etc.Such data includes: customer data; customer contact information(e.g., email address, phone number, address, etc.); type ofcommunication (written inquiry, application, complaint, letter,inquiry via online form or mobile application, email, phone call,short text message, etc.); date of sending or receiving communication(e.g., date of receipt of inquiry, complaint, claim, or message, dateof sending message, letter, etc.); information contained in therelevant communication (e.g., content of a customerinquiry/complaint, attached documents, content of the response orreference prepared by J POINT GROUP LTD), etc.

4. PROCESSING OF PERSONAL DATA

Processing of personal data means anyuse of personal data. Personal data processing includes the followingactions: collection; recording; storage; review; verification;modification; retrieval; disclosure; restriction; erasure;destruction, etc.

5.CONTACT WITH J POINT GROUP LTD

J POINT GROUP LTD, UIC 131145678, withregistered office and address of management in the Republic ofBulgaria, city of Sofia, Sofia region (capital), municipality ofSofia, Poduyane district, Hadji Dimitar residential area, 14 IvanMarinov Yonchev Street. In this Personal Data Policy, the use of thepronouns “We,” “Us,” or “Our” will also refer to J POINTGROUP LTD.

In this Privacy Policy, the use of thepronouns “We,” “Us,” or “Our” will also refer to J POINTGROUP LTD.

6.CUSTOMER, NATURAL PERSON

A natural person who: is entitled toreceive services from us on the basis of an individual contract, orin the form of an order or request for the manufacture of goods orproducts from the company's product list; has purchased goods fromus;

7. ANONYMIZATION OF PERSONAL DATA

Anonymization is an operation that isan alternative to the deletion or destruction of personal data. Itpermanently and irrevocably removes all elements that directly orindirectly identify a person. Anonymized data does not constitutepersonal data. (Example: If the personal data we have for a givencustomer is as follows: Name: Ivan Ivanov; Age 43; Address: City ofSofia, 117th Street, Block 555, Apartment 233, after anonymization,it may look like this: Name ****; Age 40-60; Address: Sofia)

8. RESTRICTION OF PERSONAL DATAPROCESSING

When restricting processing, J POINTGROUP LTD may only store the relevant personal data, unless: (a) thecustomer has given their consent; or (b) data processing is necessaryfor the establishment, exercise, or defense of legal claims; (c) theprocessing is necessary to protect the rights of another naturalperson; or (d) there are important reasons of public interest for theRepublic of Bulgaria or the EU.

GENERAL TERMS

The general terms are the General Termsof J POINT GROUP LTD, which are published on the company's website.

III. BASIC PRINCIPLES OF DATAPROCESSING

We process personal data in good faithand in a transparent manner; We process personal data for specific,explicitly stated and legitimate purposes, in accordance withapplicable law; We process personal data in order to provide ourcustomers with better products and services that are tailored totheir needs; We take the necessary measures to ensure the security ofthe personal data we process; We process personal data in accordancewith applicable law; We inform the customer what personal data wecollect, as well as why and how we do so; We process personal dataonly for legitimate purposes; The processing of personal data willnot exceed the period necessary to achieve these purposes, unless weare required to store it in accordance with applicable law; Werespect the rights that customers have under personal data protectionlegislation, including the right to access personal data, the rightto correct personal data, etc.; We implement the necessary technicaland organizational measures to protect our customers' personal datafrom accidental or unlawful destruction, accidental loss,unauthorized access, alteration, or dissemination, as well as otherunlawful forms of processing.

IV. WHAT PERSONAL DATA OF CUSTOMERS,NATURAL PERSONS DO WE PROCESS

We process different types of personaldata, depending on the type of services provided to customers. Suchdata includes customer identification data, information about whatservices a customer is entitled to use, how the customer uses theservices, information about payments made, invoices issued, currentobligations, and others. We process the following categories ofpersonal data for our customers: basic data; location data; dataprovided when concluding a contract; contract data; liability data;payment data; communication data.

V. HOW WE COLLECTPERSONAL DATA ABOUT OUR CUSTOMERS, INDIVIDUALS

We collect personaldata about our customers in various ways. In most cases, we receiveinformation directly from customers when concluding and executingcontracts with them. Certain data is generated automatically whencustomers use our services through our website, and sometimes thedata is provided to J POINT GROUP LTD by third parties or obtainedfrom other sources, such as public registers.

We collect personaldata directly from our customers: in pre-contractual relations withthem (when a customer expresses a desire to enter into a contractwith us or to register on our website to place an order); whenconcluding an individual contract; when concluding a contract forleasing/rental or for the purchase of goods; when concluding othercontracts with us; when or in connection with the performance,amendment, supplementation, or termination of a contract concludedbetween us and our customers (when fulfilling requests/orders, whenproviding customer service in response to a complaint or grievance,when paying a debt, when handling claims, etc.).

We collect personaldata about customers from third parties: in connection with theprovision of the service, when the order is placed by an advertisingagency or a client who places orders on behalf of other third partieswho are its customers. In such cases, the data is provided by ourclient's customers; upon receipt of electronic messages or datagenerated by other providers' networks, such as social networks, forexample, and terminated on our website or directly to us and ourcustomer system. In such cases, the data is provided by socialnetworks when our customers access us; during or on the occasion ofchecks carried out by competent state or municipal authorities. Insuch cases, the data is provided by the relevant authorities; uponreceipt of a request for the provision of data for a givencustomer(s) made by a competent authority in accordance with the dulyestablished procedure; during and in connection with the process ofcollecting customer debts. In such cases, the data may be obtainedfrom public registers or publicly available sources, from/through thecourts or from/through the enforcement authorities.

VI. HOW WE PROCESSTHE PERSONAL DATA OF CUSTOMERS WHO ARE NATURAL PERSONS

Processing of datanecessary for the preparation of proposals/offers and for theconclusion of contracts:

In order to concludea contract with us, the customer must provide their personal data.The provision of this data allows us to identify the customer as aparty to the contract and as the holder of the rights/obligationsunder it. Such data includes:

The customer's fullname, personal identification number, and address are part of theminimum content of each contract. If a customer refuses to providethem, we will not be able to conclude a contract.

During the contractconclusion process, data about the customer's identity document isalso processed in order to verify its validity, with the aim ofpreventing any attempts at fraud and/or misuse of personal data.

Processing of datanecessary for the performance of concluded contracts

In order to be ableto perform the contracts concluded with customers, we need to processtheir personal data. Otherwise, it will be impossible for us tofulfill our contractual obligations.

We process customerdata to ensure that the goods and/or services provided comply withthe provisions of their contracts.

In order to fulfillour obligations under a contract concluded with a customer, we needto process their personal data. It is thanks to this data that weidentify the customer as the contract holder. Example:

• if we do not knowthat a customer wishes to receive paper invoices, it is possible thatthey will not be sent to him/her;

• in order to sendan invoice to the relevant customer, we need to process data abouthis/her address.

Data processingnecessary to comply with regulatory obligations

In certain cases,applicable national and European legislation requires us to processpersonal data about our customers for specific purposes, in aspecific manner, and/or for a specific period of time. Below are themain cases in which we process personal data in order to comply withour regulatory obligations.

We process personaldata when we are required by applicable law to provide information tocompetent authorities.

The legislation ofthe Republic of Bulgaria requires us to store certain personal dataabout customers for a specific period of time. Where there are legalgrounds, this personal data processed by us must be provided to thecompetent authorities. Example

We process personaldata of customers when, under applicable law, we are obliged toassist competent state and/or municipal authorities in carrying outinspections by them.

We process personaldata because, under applicable law, we are obliged to ensure thesecurity of information systems (including the personal data of ourcustomers).

In order to prevent,identify, investigate and/or resolve: (a) vulnerabilities and/orsecurity breaches; or (b) breaches of personal data security, it isnecessary in certain cases to process personal data of customers.

We process personaldata to provide warranty support for our products, in accordance withgeneral legislation.

When a customerpurchases a product from us, under consumer protection legislation, JPOINT GROUP LTD must process the customer's basic data (whichestablishes the right to file a complaint), as well as the data forthe relevant contract (which establishes whether the relevant productis under warranty).

We process personaldata to fulfill obligations arising from accounting and taxlegislation.

Tax and accountinglegislation in the Republic of Bulgaria requires us to compilecertain accounting and commercial information, including storing thisinformation for a certain period, as well as any other informationand documents relevant to taxation.

In fulfilling thisobligation, the relevant information and documents, which alsocontain personal data of customers, are stored by us for periodsprovided for in the relevant laws. These periods are of long duration(for example, invoices, which are documents for tax and socialsecurity control, should be stored for a period of five years, and insome cases even longer).

Data processingnecessary to protect legitimate interests of J POINT GROUP LTD.

We process personaldata when conducting internal analyses in order to improve ourproducts and services, as well as to develop new ones.

In order tounderstand the needs of our customers, to improve and further developour products and services, as well as to increase the quality ofcustomer service, we process personal data.

We process personaldata in aggregate form and to establish the results of campaigns,which allows us to assess their effectiveness, the performance of acampaign, including the set commercial goals, as well as to properlyplan our future activities.

We process personaldata of our customers also for the purpose of assessing theperformance of our employees and those of our partners.

We process personaldata of customers for the purpose of studying their satisfaction withour products and services.

In order to improveour products and customer service, we sometimes seek their opinionthrough surveys that we send via short electronic messages (e-mail),via telephone calls (if the customer has provided an e-mail address).

When processing theresults of these surveys, we process the following personal data ofour customers: basic data; contract data; obligation data; aggregatedconsumption data; payment data; customer communication data. Withtheir consent, when conducting satisfaction surveys with our productsand services, we may also process their location data.

We process personaldata of customers in order to prepare appropriate offers for them.

J POINT GROUP LTDvalues ​​the time of its customers and strives for the company'sproducts and services to be increasingly better and more appropriate.Therefore, we process the personal data specified below in order tobe able to offer this product or service that is most in line withthe needs and/or preferences of our customers.

In order to prepareor select offers for our products or services that would be mostsuitable for our customers, we process the following personal data:basic data; contract data; obligation data; payment data;communication data with our customers. These offers are non-bindingfor our customers and do not create any commitments for them.

The standard offersof J POINT GROUP LTD, as well as those that are prepared or selectedfor a given customer, can be obtained from us or at our location fromour partner network. The offers can also be sent in the form ofdirect marketing, unless the relevant customer has opted out ofreceiving marketing messages, notifications or calls, as provided forin this Privacy Policy.

In order to make ouroffers even more suitable, with the consent of our customers, we alsoprocess location data.

We process personaldata of customers when conducting direct marketing.

J POINT GROUP LTDprocesses customer data to inform them of suitable offers forproducts and services via short electronic messages (e-mail), viatelephone calls or via notifications from our websitehttps://shop.jpoint.bg (for customers who use it).

Customers may at anytime opt out of receiving:

telephone calls orelectronic messages (e-mail) – by submitting a written applicationto us;

We process personaldata of customers when transferring receivables (assignments).

In accordance withthe legislation of the Republic of Bulgaria, J POINT GROUP LTD hasthe right to transfer its receivables from customers to third parties(such receivables are, for example, those arising from issued butunpaid invoices), without the need for their consent. For thispurpose, a receivables transfer agreement (“assignment agreement”)is concluded with the relevant third party.

Upon concluding anassignment agreement, J POINT GROUP LTD ceases to be the holder ofthe relevant receivable, which is transferred to the third party (newcreditor). One of the obligations of J POINT GROUP LTD under theassignment agreements is to provide the new creditor with alldocuments establishing the transferred receivables. In fulfillingthis obligation, J POINT GROUP LTD provides the new creditor withpersonal data about the clients, the receivables against which arethe subject of the assignment agreement.

When concludingassignment agreements, our respective clients, individuals, will beduly notified of this on behalf of J POINT GROUP LTD.

We process personaldata when this is necessary for the settlement of legal disputes.

Sometimes, in orderto exercise its rights or legitimate interests, J POINT GROUP LTD mayneed to process personal data of certain clients in order to make anout-of-court claim or to file a lawsuit against:

third parties fromwhom J POINT GROUP LTD has received personal data about the relevantclients in accordance with this Privacy Policy; or

third parties towhom J POINT GROUP LTD has disclosed personal data about the relevantclients in accordance with this Privacy Policy,

respectively, it ispossible that the above-mentioned persons, as well as the clientsthemselves, may make an out-of-court claim or file a lawsuit againstus. In such cases, it may be necessary for J POINT GROUP LTD toprocess personal data of certain clients in order to organize andconduct the defense of the relevant claim or lawsuit (in this way, JPOINT GROUP LTD aims to protect itself from unlawful attacks on itsproperty and/or reputation).

The type and volumeof personal data processed depend on the nature of the out-of-courtclaims made or the lawsuits filed.

See example:

A customer claims incourt that the amounts charged in his/her invoice are not due. Thisrequires us to conduct an internal investigation into the case inorder to establish the validity of the customer's claim, as well asto present the necessary evidence to the court (e.g. contracts,invoices, etc.);

A competentauthority to which we have refused to provide data about a customersanctions us and we challenge the imposed sanction in court, whichrequires the processing of personal data about the respectivecustomer and the provision of evidence to the respective court.

Data processingbased on consent given by a customer.

We may processpersonal data of customers for other purposes, upon receipt of theirconsent. The consent given may be withdrawn by customers at any time,completely free of charge, in any of the following ways: bysubmitting a written application to us;

The withdrawal ofconsent does not affect: the lawfulness of the processing of personaldata based on the withdrawn consent before its withdrawal; and theprocessing of personal data for purposes for which consent is notrequired as provided for in this Privacy Policy.

With the consent ofcustomers, we process their location data in order to prepare evenmore suitable products and services. With the consent of customers,we process their location data when conducting surveys onsatisfaction with products and services;

In the event that acustomer has refused to receive messages or calls for directmarketing, with his/her subsequent consent, J POINT GROUP LTD mayresume the processing of personal data for the purpose of sendingsuch messages or calls;

With the consent ofa customer, J POINT GROUP LTD processes their personal data(including personal identification number data) for the purpose ofperforming a credit assessment when customers wish to receive a goodor service on installment payment or on lease, as well as for rent.Providing such consent is voluntary. In the event that a clientrefuses to have a credit assessment prepared for him/her, he/she willbe able to purchase the desired service/product according to theprice list approved by us;

With the consent ofa client, we process data about their Personal Identification Number(PIN), providing them to third parties for the purposes ofextrajudicial collection of debts to us;

VII. PROFILING

What is profiling:one of the ways of processing personal data, in which analysis andassessment of specific aspects (e.g. credit score) or prediction ofpotential preferences and interests of a given individual areperformed. Profiling uses automated means – information systems fordata processing.

In which cases, JPOINT GROUP LTD. performs profiling:

To prepare amarketing assessment and analysis for potential or existing clients.This is an automated analysis for a natural person in view of his/herpotential opportunities to benefit from our services and products.Its purpose is to show us how likely it is that a given person willbenefit from our products or services.

To prepareappropriate offers to clients. The preparation and selection ofappropriate offers to clients is carried out through automated andnon-automated analysis of his/her data (e.g. for a current contract,data on consumption of products or services, etc.) and is based onsummarized statistical information about other current or formerclients of the company. The purpose of this analysis is to determinewhich product or service we believe would be most suitable for thecustomer.

Example: if acustomer's aggregated consumption of products or services shows ahigh volume of consumption, it is possible to offer him/her anindividual offer, proposal or individual package of products.

For internalanalyses. When performing internal analyses, customers are groupedbased on their basic data, contract data and their aggregatedconsumption of products and services in order to establish a possibleconnection between their data and the use of certain products orservices, as well as to establish the reasons for refusals ofproducts or services, and for switching from one type of product orservice to another, or for continuing to use the relevant service orproduct. Based on this information, J POINT GROUP LTD develops itsproduct portfolio and customer service, evaluates the company'sperformance and plans its future activities.

For the prevention,detection and investigation of abuse. For the purposes of preventing,detecting and investigating abuse. J POINT GROUP LTD carries outautomated analysis of its customers' data. Based on this, cases ofatypical behavior are identified, which are then individuallyreviewed by our employees to verify whether it is actually abuse ornot.

VIII. CATEGORIES OFPERSONS TO WHOM WE DISCLOSE PERSONAL DATA OF OUR CLIENTS, NATURALINDIVIDUALS

Processors ofpersonal data. Processors of personal data are persons who processpersonal data on behalf of and on behalf of J POINT GROUP LTD or itsclients, who entrust us with the execution of a product or service,based on a written or informal agreement/contract. They are notentitled to process the personal data provided to them for purposesother than the performance of the work entrusted to them by us or byour clients-clients. Processors are obliged to comply with allinstructions of J POINT GROUP LTD or our clients-clients, who entrustus with the processing of personal data of their clients, thirdparties.

J POINT GROUP LTDtakes the necessary measures to ensure that the engaged processorsstrictly comply with the legislation on personal data protection andthe instructions of the administrator, as well as that they havetaken appropriate technical and organizational measures to protectpersonal data.

Examples of personaldata processors: persons in whose commercial establishments may: (a)contracts be concluded with us; and/or; and/or (b) obligations to usbe paid; and/or (c) part or all of our range of products be performedas manufacturing. Such persons are our distributors, salesrepresentatives and others; Persons who provide us with invoiceprinting services, etc.; Suppliers who provide us with services forthe production of media, visions, design, advertising products, etc.from our production range; Courier service providers; Providers ofservices for the implementation and/or maintenance of informationsystems, which sometimes need to access personal data processed inthe relevant systems for the purposes of providing the services;Out-of-court debt collection companies that process personal data ofclients on behalf of J POINT GROUP LTD; Providers of services fororganizing, storing and maintaining archives of client data, as wellas services for the destruction of such archives; Providers ofelectronic certification services, in the case of using an electronicsignature to sign documents related to our products and services; Lawfirms, attorneys, accounting firms or other providers of consultingservices; third parties who acquire receivables from us to ourclients; our partners (In order to provide certain services to itsclients, J POINT GROUP LTD enters into contracts with third parties(partners). In connection with the provision of the relevantservices, it is sometimes necessary for the relevant partners toprovide personal data of the clients; Banks and payment institutions(In connection with servicing payments to our clients made by banktransfer or through a payment institution, it is necessary toexchange data between us and the relevant bank or paymentinstitution.); Competent authorities; Third parties in connectionwith a transformation (e.g. merger or acquisition) or transfer of acompany (In the event of a transformation of J POINT GROUP LTD, aswell as in the event of a transfer of assets in accordance withapplicable legislation, it is possible that the personal data of ourclients, administered by us, may be provided to a third party - alegal successor);

ІX. PROCESSING OFPERSONAL DATA OUTSIDE THE TERRITORY OF BULGARIA

As a rule, J POINTGROUP LTD. strives not to send personal data of our clients outsidethe territory of the European Union (EU) and the European EconomicArea (EEA). However, in certain cases, in order for us to be able toprovide our products and services, it is necessary for certain datato be sent to persons outside the EU/EEA (e.g. in order to provide aservice or product), in compliance with the requirements of theapplicable legislation and as described in this Personal DataProtection Policy.

In the event that itis necessary for personal data of a client or an individual to besent by us to a country outside the EU or EEA, this will be done incompliance with this Policy and in the presence of one of thefollowing conditions:

When there is adecision of the CPDP or the European Commission, according to whichthe relevant country ensures an adequate level of personal dataprotection;

When an agreementhas been concluded with the organization to which personal data aresent, containing the standard data protection clauses approved by theEuropean Commission with Decision No. 2010/87/EU:

(https://www.cpdp.bg/userfiles/file/Transfers/BCR_Commission_decision_2010-87_Bg.pdf)

When the transfer ofdata is necessary to perform a contract with the relevant client,individual, or individual in relation to our client;

When it is necessaryto transfer data to an organization in the USA, the transfer iscarried out to the extent that the relevant organization participatesin the Privacy Shield, adopted by decision of the European Commissionon 26.07.2016(https://ec.europa.eu/info/strategy/justice-and-fundamental-rights/data-protection_en)

X. HOW LONG DO WEKEEP CUSTOMERS' PERSONAL DATA C

J POINT GROUP LTD.stores the personal data of its customers for as long as necessary toachieve the goals set out in this Privacy Policy or to comply withlegal requirements. In order to fulfill our obligations arising fromtax and accounting legislation, data about a given customer is storedfor a period of five years or more, starting from the termination ofhis/her last contract, as long as the customer has no unpaid debts tous. After the expiry of the terms for processing personal data, theyare anonymized or deleted/destroyed, unless:

• they arenecessary for pending legal, arbitration, administrative orenforcement proceedings, or in the event of a complaint from therespective customer, which should be considered by us, or

• the respectivecustomer has exercised his/her right to request restriction of theprocessing of personal data concerning him/her;

J POINT GROUP LTDmakes efforts to ensure that the personal data processed aboutcustomers is updated (and, if necessary, corrected), and that no datais stored that is not necessary to achieve the purposes describedabove.

XI. WHAT RIGHTS DOINDIVIDUALS HAVE IN RELATION TO THE PROCESSING OF PERSONAL DATA

General informationon the rights of individuals

J POINT GROUP LTDtakes action at the request of an individual to exercise a rightunder this section only if it is able to identify the relevantindividual.

Only an individualwho can be identified by us has the opportunity to exercise theirrights under this section. If the purposes for which J POINT GROUPLTD processes personal data do not require or no longer require theidentification of a given individual, we are not obliged to maintain,obtain or process additional information to identify the individualfor the sole purpose of taking action based on that individual'srequest.

J POINT GROUP LTDshall notify individuals of the actions taken within one month ofreceipt of a request under this Section, and in certain cases thisperiod may be extended by up to two months.

J POINT GROUP LTDshall provide individuals with information about the actions taken inconnection with their requests to exercise rights under this Sectionwithout undue delay and in any case within one month of receipt ofthe request. If necessary, this period may be extended by a furthertwo months, taking into account the complexity and number ofrequests. J POINT GROUP LTD shall inform the relevant individual ofany such extension within one month of receipt of the request,indicating the reasons for the delay.

In the event of arefusal to comply with a request, J POINT GROUP LTD shall inform therelevant individuals of their rights.

If J POINT GROUP LTDdoes not take action on the request of a natural person, J POINTGROUP LTD shall notify him without delay and at the latest within onemonth of receiving the request of the reasons for not taking action,as well as of the possibility of filing a complaint with theCommission for Personal Data Protection and seeking judicialprotection.

In certain cases, JPOINT GROUP LTD may request additional information to confirm theidentity of the natural person.

In the event that JPOINT GROUP LTD has reasonable concerns regarding the identity of thenatural person submitting a request under this section, J POINT GROUPLTD may request the provision of additional information necessary toconfirm the identity of the person.

The actions taken byJ POINT GROUP LTD upon and in connection with requests submitted toexercise rights under this section are completely free of charge forthe persons, unless their requests are manifestly unfounded orexcessive.

The actions that JPOINT GROUP LTD takes in connection with and in connection with theexercise of the rights of individuals are completely free of charge.When the request of a given individual is clearly unfounded orexcessive (for example, due to its repetition), J POINT GROUP LTD hasthe right, at its discretion: to request the payment of a reasonablefee, determined on the basis of the administrative costs necessary toprovide the requested information or to take the requested actions.

Clients, individualshave the right to access the personal data concerning them.

Clients, individualshave the right to obtain from us information whether personal dataconcerning them is being processed. If this is the case, they havethe right to access the relevant data.

Our clients,individuals, have the right to request the correction of personaldata concerning them, when they are inaccurate or outdated.

In the event thatthe personal data processed by us are inaccurate or outdated,individuals have the right to request that we correct them.

EXAMPLE: Thecustomer has changed his/her address and wishes the information aboutthe new address to be updated in our database; The customer has foundthat when concluding a contract with us, an error was made in his/hernames and submits a request for the error to be corrected.

In certain cases,customers have the right to request the deletion of personal datarelating to them.

Customers,individuals, have the right to request from us the deletion ofpersonal data relating to them in the following cases: the personaldata are no longer necessary for the purposes for which they werecollected or processed; the customer, an individual, has withdrawnhis/her consent on which the processing of personal data is based andthere is no other legal basis for the processing of the same; thecustomer, an individual, has objected to the processing of personaldata, which is based on the legitimate interest of J POINT GROUP LTD,unless there are other legitimate grounds for the processing whichoverride the interests, rights and freedoms of the customer, or theprocessing of data is necessary for the establishment, exercise ordefence of legal claims; the customer has objected to the processingof personal data for direct marketing purposes and there are no otherlegitimate grounds for the processing of these data; the personaldata relating to the customer concerned have been processedunlawfully; the personal data must be deleted by us in order tocomply with a legal obligation arising from the law of the Republicof Bulgaria or from the law of the European Union.

In certain cases,our customers have the right to request the restriction of theprocessing of personal data relating to them.

As of 25.05.2018,our customers have the right to request J POINT GROUP LTD to restrictthe processing of personal data relating to them in the followingcases:

the accuracy of thepersonal data is contested by the individual, for a period thatallows J POINT GROUP LTD to verify the accuracy of the personal data;

the processing isunlawful, but the customer does not want the personal data to bedeleted, but instead requests the restriction of their use;

J POINT GROUP LTD nolonger needs the personal data for the purposes of the processing,but the customer requires them for the establishment, exercise ordefense of legal claims;

the customer hasobjected to the processing of personal data based on the legitimateinterest of J POINT GROUP LTD, pending verification of whether ourlegitimate grounds override our interests.

In certain cases,our customers have the right to the portability of personal dataconcerning them.

As of 25.05.2018,our customers have the right to receive from us the personal datathat they have provided (for example, data that is provided whenconcluding a contract) in a structured, commonly used andmachine-readable format, and to transfer these data to anothercontroller without hindrance from us, insofar as: we process thesedata for the purposes of concluding or performing a contract with thecustomer, or on the basis of a consent given by the latter and theprocessing of the relevant data is carried out by automated means.

Customers have theright to request that we transfer their personal data directly toanother controller, where this is technically feasible.

In certain cases,our customers have the right to object to the processing of personaldata concerning them.

The customer, anindividual, has the right, at any time and on grounds relating totheir particular situation, to object to the processing of personaldata concerning them, where J POINT GROUP LTD processes their datafor the protection of its legitimate interests.

In certain cases,this right is unconditional and we will always suspend the processingof data upon an objection by a customer. These are the cases in whichJ POINT GROUP LTD processes personal data for the purposes of directmarketing.

In other cases,depending on the nature of the objection and the circumstancespresented by the respective customer, an individual, J POINT GROUPLTD will conduct an internal investigation into the objection andwill decide on it in accordance with this section, by: (a) informingthe customer that it will suspend the processing of his/her personaldata; or (b) refusing to suspend the processing of his/her personaldata, if there is a legal basis for this.

EXAMPLE: If a clientobjects to the processing of his/her personal data in connection witha concluded assignment agreement, arguing that he/she did not consentto the provision of his/her data to a third party, J POINT GROUP LTDwill reject the objection, since according to the Obligations andContracts Act, the debtor's consent is not required for theconclusion and performance of assignment agreements.

The client, anindividual, has the right to file a complaint with a supervisoryauthority for personal data protection.

The client has theright to file complaints or reports with the Commission for PersonalData Protection (CPDP), if in their opinion we are violating thelegislation on personal data protection. Instructions for filingcomplaints are published on the CPDP website: https://www.cpdp.bg

After 25.05.2018,clients may also file complaints with other supervisory authoritieswithin the European Union, as provided for in Regulation (EU)2016/679 of the European Parliament and of the Council of 27 April2016 (on the protection of individuals with regard to the processingof personal data and on the free movement of such data, and repealingDirective 95/46/EC).

XII. HOW WE PROTECTTHE PERSONAL DATA OF OUR CLIENTS, INDIVIDUALS

Building andmaintaining trust between us and our clients is a key strategicpriority for us. Therefore, the protection of our systems andpersonal data is of paramount importance, both for our clients andfor us. Our main goal is for our clients and the individuals relatedto them to feel in “safe hands” when use our products andservices. In accordance with the requirements of current legislationand good practices, we take the necessary technical andorganizational measures to ensure that the personal data ofindividuals is safe.

To ensure theprotection of the personal data of our clients, J POINT GROUP LTD.uses modern technologies, combined with uncompromising management ofsecurity controls. In order to ensure maximum data protection, JPOINT GROUP LTD. has adopted numerous policies that regulate dataprocessing. Various mechanisms (encryption, anonymization,pseudonymization, etc.) are also applied both in relation to “datain transit” (data in transit) and “data at rest” (data atrest).

XIII. CONTACTINFORMATION FOR J POINT GROUP LTD

J POINT GROUP LTD,UIC 131145678, with its registered office and registered office inthe Republic of Bulgaria, Sofia, Sofia District (Capital), StolichnaMunicipality, Poduyane District, Hadzhi Dimitar Residential Complex,14 Ivan Marinov Yonchev Street, is the administrator of personal dataprocessed in this Personal Data Protection Policy.

For questions andinquiries regarding the processing of personal data and theirprotection, you can contact us directly at the specified contactdetails.

XIV. ENTRY INTOFORCE AND UPDATE OF THIS PERSONAL DATA POLICY

This Personal DataPolicy is current as of 25.05.2018.

This Personal DataPolicy may be amended or supplemented due to changes in applicablelegislation, at the initiative of J POINT GROUP LTD, the clients or acompetent authority (e.g. the Personal Data Protection Commission).

J POINT GROUP LTDinforms clients of amendments or supplements to this Personal DataProtection Policy no less than 30 (thirty) days before their entryinto force, by:

publishing theupdated Personal Data Protection Policy on its website; and sendingshort text messages (e-mail) to its clients containing a link to thewebsite where the updated version of this Personal Data ProtectionPolicy is published;

It is recommendedthat our clients periodically check the most current version of thisPersonal Data Protection Policy on our website.