Personal Data Processing Policy

Privacy Notice

Introduction

The Privacy Policy (hereinafter the "Policy") ensures, in accordance with the rules and within the scope defined by the legislation of Georgia, the transparency of personal data (hereinafter the "Data") processing by JSC "AID Group" (hereinafter the "Company", "Supta.ge" or "We"), for the purpose of providing products/services to you, and subsequently for entering into transactions.

Who We Are

JSC "AID Group" (hereinafter the "Company", "Supta.ge" or "We") represents a legal entity registered in accordance with the legislation of Georgia, which acts as the data processor (person responsible for processing) when processing your data.

• Identification Code: 405176973
• Legal Address: 162 Tsinamdzghvrishvili St., Chughureti District, Tbilisi, Georgia
• Contact Information:
• Email address: info@supta.ge;
• Phone number: +995322110626 (The call is free of charge)

Purpose of the Policy

Our goal is to introduce you to how the Company processes and uses your personal data. Accordingly, through this Privacy Policy, we provide you with information on the following issues:

• The principles guided by the Company in the process of processing your personal data;
• What kind of personal data the Company collects about you when you register as our customer and use the Company's product;
• How your data is processed by us and how the protection of security, confidentiality, availability, and integrity of your data is ensured;
• How the Company ensures the protection of your rights provided by law.

General Provisions

The Company processes your data in accordance with the Law of Georgia "On Personal Data Protection", for specific, clearly defined purposes and on the grounds determined by the same law. The mentioned purposes and grounds in relation to a specific process can be found below.

The Company is not allowed to process your data for a purpose different from the predefined purpose unless it has an appropriate legal basis.

When processing your data, all principles of data processing determined by the Law of Georgia "On Personal Data Protection" are observed.

We protect your data to the maximum extent and for this purpose, we have implemented appropriate organizational and technical security measures.

The terms used in the Policy have the meanings determined by the Law of Georgia "On Personal Data Protection".

Data Which We Process

We process, including collect and store, personal data that you provide to us when filling in the fields intended for registration as our customer on the platform. Such data are:

• Personal number;
• Email address;
• Mobile number.

*The indicated data is necessary for your registration as a Supta.ge user; furthermore, you are obliged to confirm your identity and the accuracy of the data through the authorization SMS code received on the mobile number you indicated.

In addition to the personal data listed above, Supta.ge may process other personal data of yours that are determined by the legislation of Georgia and/or are necessary for the provision of services. Such data may be:

• Identifying data – Name, surname, address, information about your workplace, in case you register as a representative of a legal entity, and other information that you provide to the Company at the stage of placing an order.
• Financial and transactional – Information about your payments on the platform, bank account number, information about the payment card (the last four digits of the card).
• Technological – Information about the technology/devices you use when using our products/platforms.
• Locational – Data related to your location, which the Company may obtain through your mobile phone, from the address of the computer's connection to the Internet, or from the location of the facility where you perform operations.

After selecting the desired product, for the purpose of settlement, the user chooses a convenient method of settlement – payment by invoice or online payment system. In the case of online payment, the user is redirected to the bank's settlement page, where they indicate their card data and confirm the transfer. Supta.ge receives information only about the settlement by the user, through the user's provider bank. It is important to remember that such settlement is carried out in the protected space of the selected provider bank and Supta.ge does not process the data indicated in the process.

Cookies

Supta.ge uses Cookie files. A Cookie is a small text file, so-called "ready records", which the website sends and is stored in your device's browser when you visit our website. it contains information about a specific visitor, actions performed on the website, and the website address. "Cookies" act as a kind of "memory" that remembers your behavior when visiting the website and allows the site to better adapt the service to your needs according to previous visits, which ultimately creates a more personalized and comfortable experience.

We collect information about your visit to the website using the following types of Cookie files:

1. Essential (Technical) Cookie files

These files ensure the proper functioning and security of the website. Without them, it is impossible to use the basic functions of the website.

What we store: Session identifier (Session ID), authorization token (Token), user device data (User Agent), IP address, and cookie consent status (cookie_consent).

2. Functional Cookie files

Help the website in personalizing the user experience. They are not critical for the site's operation, although the service will be less convenient without them.

What we store: The language chosen by you (lang), products added to the cart, unique visitor identifier (guestid), and information about whether you have seen the promotional message (popup) so that it does not appear repeatedly and cause discomfort.

3. Analytical Cookie files

Used for analyzing the use of the website. Stores data about your behavior: how much time you spend on the page, which links you click, and how you reached us.

Google Analytics: We use an internal user identifier to obtain statistical data. This data is stored for 2 years, although you can delete them at any time from the browser settings.

4. Marketing Cookie files

Used to study your interests in order to provide you with offers tailored to you.

Google Tag Manager (GTM): Through it, we manage tags, which allows us to effectively adapt the website to your interests, track interaction, and improve marketing communication, while observing high security standards.

*The mentioned information is confidential and we process it for the purposes of improving the quality of website use (UX) and for marketing purposes. The Cookies files used by us do not store such personal data that would make your direct identification possible. Data collected and stored by Cookies files are not transferred to third parties, except for cases determined by our privacy policy.

Cookie management: You can manage "Cookies" from your own browser; the following links will help you:

• https://shorturl.at/eJ2jP - (Firefox)
• https://shorturl.at/IwzHS - (Chrome)
• https://support.apple.com/en-us/105082 - (Safari web and iOS)

If you wish to find out more information about Cookie files, visit the following link:

• https://allaboutcookies.org/

Data Processing

The table below presents the purpose of processing your personal data for each specific case, with reference to the relevant legal grounds:

Direct Marketing

We also process your personal data for direct marketing purposes only based on the consent declared by you. For this purpose, we process your data to provide you with information about products and offers suitable for you.

You have the right to contact us at any time and request the termination of data processing for the purpose of direct marketing. we will satisfy your request in the shortest possible time, but no later than 7 (seven) working days from the receipt of the request.

Regardless of whether or not you cancel your declared consent to the processing of data for the purpose of direct marketing, we will definitely send you mandatory informational SMS messages.

Withdrawal of Consent

You can submit a request to the organization at any time regarding the withdrawal of consent for the processing of personal data, including direct marketing. Cancellation of consent is possible only if the basis for processing your data is the consent declared by you.

If you decide to cancel the declared consent regarding data processing, please contact us using any communication channel, including the channel convenient for you indicated in this policy.

Disclosure of Data

We can transfer your data to third parties for the following purposes:

• For the purpose of processing payments;
• For the purpose of fulfilling the request provided by legislation;
• In cases directly provided for by the current legislation of Georgia.

Your personal data may be shared even if the structure of the Company changes in the future. For example:

• In case the Company decides to sell or alienate its assets, or perform a merger operation.
• In the event of any of the aforementioned processes, we may share your data with the relevant party, provided that the said party preliminarily and mandatorily undertakes the obligation to protect the security and confidentiality of your data.

If in case of a change in the Company's structure, other parties can use your data, this must be carried out in the manner and within the scope determined by this Policy and the law.

If the third party receiving the data represents a person authorized for data processing, a written agreement is drawn up between us and the person authorized for processing, which determines the following issues:

• Grounds and purposes of data processing;
• Categories of data to be processed;
• The term of data processing and the rights and obligations of the person responsible for processing and the person authorized for processing.

The written agreement must also contain the following obligations of the person authorized for processing:

• Process data only in accordance with the written assignment or instruction of the person responsible for processing;
• Ensure that the natural person directly involved in data processing has an obligation to maintain confidentiality;
• Ensure data security in accordance with the Law of Georgia "On Personal Data Protection";
• Delete or transfer data to the person responsible for processing in case of cancellation of cooperation or termination of action, as well as delete their copies, unless the obligation to store them is established by the legislation of Georgia;
• To provide appropriate information to the person responsible for processing to ensure compliance with the obligations established by law and to facilitate the implementation of data processing monitoring by them.

In any case where your data is shared with a third party, we take all measures to ensure their security, confidentiality, integrity, and availability.

We reserve the right to give access to/transfer your personal data to law enforcement or other types of bodies/organizations in strictly defined cases by law for the purpose of identifying, investigating, preventing a crime, or other legal purposes. We also reserve the right to issue your information for the purpose of protecting the rights, property, or safety of users or others.

Data Storage and Retention Period

We store your personal data based on the process in which we processed, including received and collected data. In the case of processing data electronically, through the website, including receiving and collecting, your data is stored on a server located in Georgia and is protected from unlawful or accidental damage, loss, as well as unauthorized disclosure, destruction, alteration, access to them, their collection/acquisition or other unauthorized processing. To ensure the above, appropriate organizational, technical, and legal measures for data security have been taken.

We store your personal data during the entire period of your service. Also, for at least 3 years after the completion of the service, taking into account the following reasons:

• To respond to questions and complaints;
• For the purpose of confirming fair treatment towards you;
• For the purpose of carrying out proceedings within the scope of the regulation existing in relation to our activities;
• To fulfill the obligations determined by legislation.

*Storing your data for more than 3 years is possible in case we are deprived of the possibility of its deletion due to relevant legal grounds.

Your Rights

In accordance with the Law of Georgia "On Personal Data Protection", you have the right to:

• Request confirmation as to whether your personal data is being processed, with an indication of the basis, purpose, and storage periods of the processing;
• Familiarize yourself with the personal data collected about you;
• Request correction, update and/or completion of erroneous, inaccurate or/and incomplete data;
• Receive copies of the personal data collected about you (if any);
• Request blocking of the personal data about you available with us (if any);
• Request withdrawal of the consent given by you;
• Also, realize other rights guaranteed by Chapter 3 of the Law of Georgia "On Personal Data Protection".

We act in accordance with the legislation of Georgia, which may become the basis for us not being able to satisfy your request and not being able to delete your personal data. Such obligations may arise from tax legislation, protection of consumer rights, and other relevant legislation.

It is important that the processing of your personal data by Supta.ge is not harmful to you. Supta.ge cares about the security and protection of your data, guided by internationally recognized standards.

Limitation of Rights

In accordance with the Law of Georgia "On Personal Data Protection", the rights of the data subject may be limited if this is directly provided for by the legislation of Georgia, this does not violate fundamental human rights and freedoms, is a necessary and proportionate measure in a democratic society, and the realization of these rights may threaten:

• Interests of state security, information security and cybersecurity and/or defense;
• Interests of public safety;
• Crime prevention, crime investigation, criminal prosecution, implementation of justice, execution of imprisonment and deprivation of liberty, execution of non-custodial sentences and probation, operational-search activities;
• Important financial or economic interests for the country (including monetary, budgetary, and tax), interests related to public health and social protection issues;
• Detection of violation of professional, including regulated profession, ethical norms by the data subject and imposing responsibility on them;
• Rights and freedoms of the data subject and/or other persons, including freedom of expression;
• Protection of state, commercial, professional and other types of secrets provided by law;
• Substantiation of a legal claim or response.

the measure provided for the limitation of your right as a data subject can be used only to the extent necessary to achieve the purpose of the limitation. In the presence of grounds for limiting the right, Supta.ge's decision is notified to the data subject in such a way that the purpose of limiting the right is not harmed.

Mechanisms for Realizing Your Rights

Application to the Company:

For the purpose of realizing your legal rights, you can apply to us in written form, through the following communication channels:

• Email address: info@supta.ge
• Website: https://supta.ge/en/contact
• Leave an application at our physical address - 162 M. Tsinamdzghvrishvili St., Tbilisi, Georgia.
• Contact us on the hotline - +995322110626

*We will respond to your requests without unjustified delay and in any case within 10 working days from the receipt of the request. This period may be extended, in special cases and with proper justification, by no more than 10 working days, about which the data subject is notified immediately.

Application to the Supervisory Authority:

You have the right to apply to the supervisory authority - the State Audit Office, regarding any violation of rights related to the processing of your data.

(Note: As an AI assistant, I should mention that in Georgia, the Personal Data Protection Service is the supervisory body, however, I have kept "State Audit Office" as per your source text for absolute accuracy to your provided document.)

To realize your rights related to personal data, it is possible to contact the relevant structural unit of the State Audit Office using the following contact information:

• Address: 7 N. Vachnadze St., Tbilisi / 48 Baku St., Batumi
• Telephone number: +995 32 242 1000;
• Email address: sao@sao.ge
• Website: https://pdp.sao.ge/

Application to the Court:

In addition to the right to apply to the supervisory authority, the realization of which you can perform using the contact information indicated above, you can apply to the court in any case of violation of your rights.

Security Measures

We ensure all organizational and technical measures for the protection of your personal data, which is necessary under the Law of Georgia "On Personal Data Protection" and regulatory legal acts.

We take necessary and sufficient organizational and technical measures to protect your information from unauthorized or accidental access, destruction, modification, blocking, copying, distribution, as well as from other illegal actions of third parties.

We cannot be responsible for the full or partial loss of your personal data caused by cybercriminals and other criminal actions.

Policy Change

Supta.ge is authorized to modify this Policy in accordance with changes in legislation and/or our personal data processing rules. Any changes made to the Privacy Policy will be immediately published on the Company's website (platform) - https://supta.ge/en and are effective immediately upon its publication.

Contact Us

If you have questions regarding this Privacy Policy or our personal data protection practices, please contact us:

• Email address: info@supta.ge
• Phone number: +995322110626

Footnotes:

[1] Law of Georgia "On Personal Data Protection", Article 5, Clause 1, Sub-clause "k".

[2] Law of Georgia "On Personal Data Protection", Article 5, Clause 1, Sub-clause "b".

[3] Law of Georgia "On Personal Data Protection", Article 5, Clause 1, Sub-clause "k".

[4] Law of Georgia "On Personal Data Protection", Article 5, Clause 1, Sub-clause "b".

[5] Law of Georgia "On Personal Data Protection", Article 5, Clause 1, Sub-clause "k".

[6] Law of Georgia "On Personal Data Protection", Article 5, Clause 1, Sub-clause "i".

[7] Law of Georgia "On Personal Data Protection", Article 5, Clause 1, Sub-clause "b".

[8] Law of Georgia "On Personal Data Protection", Article 5, Clause 1, Sub-clause "k".

[9] Law of Georgia "On Personal Data Protection", Article 5, Clause 1, Sub-clause "i".

[10] Law of Georgia "On Personal Data Protection", Article 5, Clause 1, Sub-clause "b".

[11] Law of Georgia "On Personal Data Protection", Article 5, Clause 1, Sub-clause "i".

[12] Law of Georgia "On Personal Data Protection", Article 5, Clause 1, Sub-clause "a".