Appendix V: Compliance with Other International Data Privacy Legislation

Documents

Annex V: Compliance with Other International Data Privacy Laws

In addition to the provisions of Annex III (Data Protection Policy (GDPR – EU)) and Annex IV (California Consumer Privacy Rights (CCPA)), DeepThink undertakes to respect and comply with the personal data protection laws applicable in other relevant jurisdictions where it may provide services or have Users. These obligations apply without prejudice to DeepThink's membership of the Prime Quad Partners SL ("Prime Partners") business group, which includes various entities specializing in digital technology and services.

In this context, DeepThink may exchange User personal information with other companies in the group only in the cases provided for by applicable law, and always in accordance with the confidentiality, data protection, and contractual guarantees provided for in Annexes II, III, IV, and V.

The main legal frameworks of reference and how DeepThink ensures compliance are described below:

1.Brazil (Lei Geral de Proteção de Dados - LGPD) 1.1.In the event that the LGPD (Law No. 13,709/2018) is applicable, DeepThink guarantees: 1.1.1.Compliance with the principles of purpose, necessity, transparency, security, non-discrimination, and accountability. 1.1.2.Respect for the rights of Brazilian data subjects: access, rectification, cancellation, opposition, portability, information about sharing, and revocation of consent. 1.1.3.The handling of requests through the contact channel [email protected], respecting the deadlines and procedures set forth in the LGPD. 1.1.4.In the event of international data transfers from Brazil, DeepThink will adopt appropriate legal mechanisms (such as standard contractual clauses or binding corporate rules) to ensure an adequate level of protection. 1.2.The exchange of data between companies in the Prime Partners group will also be subject to these guarantees and will be limited to the legitimate and explicit purposes informed to the data subject.

2.Canada (Personal Information Protection and Electronic Documents Act - PIPEDA) 2.1.For Users located in Canada, DeepThink acts in accordance with the Ten Privacy Principles established by PIPEDA, including: 2.1.1.Accountability: DeepThink is responsible for the data under its control and adopts internal compliance policies. 2.1.2.Identification of purposes before collecting personal data. 2.1.3.Informed consent when required. 2.1.4.Limitation of collection, use, and retention to the legitimate purposes disclosed. 2.1.5.Accuracy and security of data through appropriate technical and organizational measures. 2.1.6.Transparency and individual access, including mechanisms for challenging compliance and filing complaints. 2.2.Any transfer of personal data to other Prime Partners group companies within Canada or from Canada to other jurisdictions will be carried out in accordance with the principle of accountability and will require appropriate contractual safeguards, in accordance with PIPEDA.

3.Japan (Act on the Protection of Personal Information - APPI) 3.1.DeepThink guarantees compliance with the Japanese Personal Information Protection Act (APPI) in the following aspects: 3.1.1.Prior and clear notification of the purpose of use of personal data. 3.1.2.Obtaining consent when legally required, especially for special categories of personal data. 3.1.3.Prohibition of transfer to third parties without consent, except for legal exceptions (e.g., use by subprocessors under contract). 3.1.4.Response to requests for access, correction, suspension, or deletion of data by the data subject. 3.2.In the event of international transfers, DeepThink will ensure that the recipient (even if part of the Prime Partners group) has an equivalent level of protection to that required by the APPI, either through explicit consent or contracts incorporating appropriate clauses.

4.Other relevant jurisdictions 4.1.DeepThink seeks to comply with the fundamental privacy principles of other jurisdictions, including: 4.1.1.United Kingdom: Compliance with the UK GDPR and the Data Protection Act 2018, on an equal footing with the GDPR. 4.1.2.EEA States: Compliance with local legislation that supplements the GDPR (e.g., requirements regarding explicit consent or processing records). 4.1.3.United States (outside California): DeepThink adopts practices compatible with emerging state laws (Colorado, Virginia, Connecticut, Utah, etc.), offering rights similar to those provided under the CCPA where reasonable and applicable. 4.2.DeepThink also respects the principles of the APEC Cross-Border Privacy Rules (CBPR) for its operations in the Asia-Pacific region, to the extent of its participation in those markets.

5.Data sharing within the business group 5.1.In all cases, if DeepThink shares User personal data with other companies in the Prime Partners group, it will ensure that: 5.1.1.It has a valid legal basis for such communication, whether it be legitimate interest, contractual compliance, or consent, in accordance with applicable law. 5.1.2.Establish appropriate inter-company contracts that clearly define the purposes, responsibilities, and protective measures. 5.1.3.Ensure that the transfer of data does not involve a sale of data or entail uses not disclosed to the User. 5.2.Such transfers shall be limited to the purposes already communicated to the User in Annexes III (Data Protection Policy (GDPR – EU)), Annex IV (California Consumer Privacy Rights (CCPA)), Annex V (Compliance with other International Data Privacy Legislation) and Annex VI (General Data Privacy Policy), including: 5.2.a.Provision of specialized technical support. 5.2.b.Improvement of the User experience. 5.2.c.Proposal of complementary technological services.

6.Commitment to continuous improvement and transparency 6.1.DeepThink actively monitors international legislative changes and adapts its privacy policies and practices to maintain a consistent and high level of regulatory compliance. 6.2.If any national or sectoral law applicable to a User grants more rights or requires greater guarantees than those provided in this annex, DeepThink will act in accordance with the principle of maximum protection. 6.3.The User may consult DeepThink about the processing of their data in their specific country and exercise their rights by emailing [email protected].