Version: 1.1

Valid from: 23 October 2025

CONTENTS

1. Introduction

2. Basic Information about Processing Activities

3. Purposes of Processing Your Data

4. Cookies

5. Persons with Access to Your Data

6. Data Export

7. Data Retention

8. Security

9. Your Rights

10. Final Provisions

1. Introduction

1.1  Purpose of this Policy

This Privacy Policy (this “Policy”) explains how we, RockawayX (as defined below), use the personal data of:

(a) individuals interacting with us in the ordinary course of business;

(b) the users of https://rockawayx.com  or other webpages that may have led you here, including any online services offered on any such webpage (collectively, the “Websites”);

(c) the visitors of RockawayX’s office premises; and

(d) Employees, Interns, Contractors and freelancers operating under service agreements, to the extent they perform work akin to that of an employee.

We provide this information under Articles 13 and 14 of the General Data Protection Regulation (the “GDPR”).

For the sake of brevity, in this Policy we’ll refer both to you as an individual as well as any organization which you might be representing as though you were the same person.

1.2 Explanation of Technical Terms

Before reading this Policy, you’ll need to understand what ‘personal data’ and its ‘processing’ means:

Personal data refers to (i) information which immediately identifies you (such as your name or your e-mail address), aswell as (ii) other information which doesn’t identify you on in isolation, but which could still theoretically lead back to you if someone were determined to achieve such identification, using proportionate means.

Processing of personal data refers to any operation involving personal data, including its collection, storage, transfers, analysis, collation into databases, linking with other data, usage to draw conclusions about you and other forms of use.

1.3 Companies Responsible for Your Data

This Policy applies to processing activities of the following companies:

(a) Rockaway X Holding a.s., ID No. 193 11 753;

(b) RockawayX a.s., ID No. 174 57 009

(c)  Blockad s.r.o., ID No. 080 06 458;

(d) RockawayX Infra s.r.o., ID No. 210 40 745;

(e) RockawayX Labs s.r.o., ID No. 179 30 545;

(f) RockawayX Distribution s.r.o., ID No. 22524690;  and

(g) Digital Farm GmbH, ID No. FL-0002.673.808-5.

These companies (“RockawayX”, the “RockawayX Companies” or “we”) are closely interlinked and jointly determinethe terms of processing your personal data. As such, they are what the GDPR calls joint controllers of your data.

1.4 Get in Touch

If you have questions regarding this Policy or wish to exercise one of the rights described in section 9 (Your Rights), please contact us:

(a) by e-mail, at legal@rockawayx.com;

(b) through the Czech databox service (datová schránka), at ID 5qrzdea; or

(c) by post, addressed to Blockad s.r.o., at the address listed in the row ‘sídlohere.

The RockawayX Companies maintain an arrangement where Blockad s.r.o. accepts and processes your queries and requests on behalf of all RockawayX Companies.

2. Basic Information about Processing Activities


Taking into account all the ways you typically interact with us, we process the following categories of personal data related to you:

2.1 Categories of Personal Data

Identification Data

  • Examples: Name; last name.
  • Typically processed when:
    • You get in touch with us.
    • It’s an inherent part of dealing with us in a certain matter.
    • You are an Employee, Intern, Contractor or freelancer operating under service agreements, to the extent you perform work akin to that of an employee with RockawayX.
    • Headhunting.

Contact Data

  • Examples: E-mail address; phone number; address of residence; delivery address.
  • Typically processed when:
    • You get in touch with us or otherwise communicate with RockawayX.

AML Data

  • Examples: Identification and contact data; nationality, citizenship; tax residency; type of business; source of funds; copy of your personal ID/passport; bank details; sanction status; political exposure status.
  • Typically processed when:
    • Within the context of your dealings with us, we are obliged to perform AML checks.

Transactional Data

  • Examples: Any personal information regarding transactions (contracts, payments etc.) between you (directly or an organization which you represent) and RockawayX or its affiliates, including bank account numbers, contact addresses etc.
  • Typically processed when:
    • You, typically being an investor, investee, a supplier, customer or another business partner, do, have done or negotiate future business with us.

Device Data

  • Examples: IP address and approximate geolocation determined based on such address; MAC address; type, version, technical parameters of your device and browser; time zone; analytical and statistical information derived from any such data.
  • Typically processed when:
    • You browse our Websites.

Usage Data

  • Examples: Information on how you use the Websites, e.g. what you click on, how much time you spend on various sections of the Websites and how you move around these sections; analytical and statistical information derived from any such data.
  • Typically processed when:
    • You browse or interact with our Websites.

E-Mail Interaction Data

  • Examples: Data about if and when you read our direct marketing e-mails and what links you click on; analytical and statistical information derived from any such data.
  • Typically processed when:
    • You’ve subscribed to one of our newsletters.

Photos

  • Examples: Photos and videos which feature you.
  • Typically processed when:
    • You attend one of our events.
    • You are an Employee, Intern, Contractor or freelancer operating under service agreements, to the extent you perform work akin to that of an employee with RockawayX and you enter RockawayX premises.

Candidate Data

  • Examples: CV; cover letter; education and professional experience; information provided during interviews and related assessments; interview and assessment performance data; previous employer references; evaluation of all of the information above so as to assess whether you are a good fit for a given role; data necessary for the preparation of a contract of employment/services and compliance with employment-related regulations.
  • Typically processed when:
    • You’ve applied for a position at RockawayX.
    • Headhunting.

Contractual Data

  • Examples: Employment/service contract, job title, scope of work, fee, nationality.
  • Typically processed when:
    • You are an Employee, Intern, Contractor or freelancer operating under service agreements, to the extent you perform work akin to that of an employee with RockawayX.

Payroll Data

  • Examples: Bank account, salary, fee, bonuses, tax status, insurance information.
  • Typically processed when:
    • You are an Employee, Intern, Contractor or freelancer operating under service agreements, to the extent you perform work akin to that of an employee with RockawayX.

Attendance Data

  • Examples: Working hours, vacation, sick leaves, time off, office entry logs.
  • Typically processed when:
    • You are an Employee or Intern with RockawayX.

IT and Access Data

  • Examples: Logins, device IDs, IP addresses, logs from corporate tools.
  • Typically processed when:
    • You are an Employee, Intern, Contractor or freelancer operating under service agreements, to the extent you perform work akin to that of an employee with RockawayX.

Health Data and Emergency Contact Data

  • Examples: Fit-for-work records, work injury reports, only as required by law, names and contact details of relatives in case of emergency.
  • Typically processed when:
    • You are an Employee or Intern with RockawayX.

CCTV Footage

  • Examples: Visual records from security cameras.
  • Typically processed when:
    • You visit our offices.
    • You are an Employee, Intern, Contractor or freelancer operating under service agreements, to the extent you perform work akin to that of an employee with RockawayX and you enter RockawayX premises.

Privacy Control Data

  • Examples: Information regarding consents or opt-ins to data processing or cookie storage and withdrawals of consents with or opt-outs from data processing or cookie storage; details about instances in which you’ve exercised your rights relating to privacy protection, including the subsequent dealings and proceedings in this regard; personal ID/passport copies/information to the extent needed to verify your identity when exercising rights.
  • Typically processed when:
    • You grant us or withdraw your consent with (or opt in for or opt out of) data processing or cookie storage.
    • You exercise one of your rights related to the protection of privacy.

Communications Data

  • Examples: The contents of any communications exchanged between you and us, including any personal data contained in such communications which you choose to give to us.
  • Typically processed when:
    • You communicate with us in any matter.

Communication Data of Interns or Employees

  • Examples: Work emails, internal chats, calendar events.
  • Typically processed when:
    • You are an Employee, Intern, Contractor or freelancer operating under service agreements, to the extent you perform work akin to that of an employee with RockawayX.


2.2 Sources of Your Data

In general, the personal information we process comes from you or is derived from your use of the Websites, as described in this Policy or comes from your role as Employee, Intern, Contractor or freelancer operating under service agreements, to the extent you perform work akin to that of an employee. In some cases, we may obtain your personal information from external sources, such as:

(a) if you apply for a job at RockawayX or contacter by us in connection with Direct Candidate Outreach (Headhunting), some of your Candidate Data may be collected from your LinkedIn account, recruitment agencies and websites (e.g. Human Capital Advisory Group, Grafton Recruitment, COCUMA, Jobs.cz, executivejob.cz, Techloop.io, AirJobs.cz, and similar), and your current or previous employers;

(b) if we need particular personal data related to you for the purpose of establishing, exercising or defending our rights against you, or for meeting a legal obligation, we can also obtain that piece of data from public registries, public authorities and any other external sources, as needed for the specific purpose.

2.3 Opting Not to Share Your Data

In principle, you don’t need to share any of your personal data with us if you don’t want to. However, in some cases, a failure to do so will inevitably result in our inability to enter into a transaction with you, provide a service, become our Employee, Intern, Contractor or freelancer operating under service agreements, to the extent you perform work akin to that of an employee, or act upon your request, such as:

(a) if providing certain data is necessary for the preparation or fulfilment of a contract between us, or for meeting a legal obligation which applies in connection with the subject matter of that contract, we won’t be able to enter into the contract;

(b) by extension, if we are required to conduct identity, source of funds or other checks under anti-money laundering laws before transacting with you, we won’t be able to proceed unless you give us the necessary AML Data;

(c) if you apply for a job with us and refuse to provide the requested Candidate Details through the designated online form or to an HR colleague, your application might be incomplete, and we won't be able to consider you for the role; and

(d) if you wish to exercise one of the rights described in section 9 (Your Rights), we need to confirm your identity and fully understand the nature and scope of your request. If you don’t help us verify your identity or define your request, we might not be able to assist you.


3 Purposes of Processing Your Data

This section explains why we process your personal data (‘purposes of processing’) and what entitles us to do so (‘legal basis for processing’).

3.1 Doing Business

If you’re our investor, customer, supplier or other business partner, we may use your Identification Data, Contact Data, Transactional Data and Communications Data to communicate and do business with you (in accordance with any contract we might have, if applicable), and to administer our business relationship with you on an ongoing basis. This includes the preparation, negotiation and performance of our legal agreements with you or the organization you represent, accepting or making payments from/to you, and the processing of any requests and queries you might have.

We’re entitled to process your personal data for such purposes because it is necessary for the preparation or fulfilment of our contract with you (Article 6(1)(b) GDPR), or, where no contract is in place and we’re not negotiating one, because it is necessary for the proper operation and administration of our business, in which we have a legitimate interest (Article 6(1)(f) GDPR).

3.2 Compliance with Legal Obligations

We process your Identification Data, Contact Data, Transaction Data, AML Data, Privacy Control Data, Communications Data and other personal data to the extent necessary to comply with legal obligations. For illustration, this could be:

(a) an obligation to archive or present corporate, accounting and tax materials in accordance with Act No. 586/1992 Coll., on Income Tax, Act No.  235/2004 Coll., on Value Added Tax, Act No. 563/1991 Coll., on Accounting, and Act No. 499/2004 Coll., on Archiving (in which case mainly your Transactional Data will be used);

(b) an obligation to document and implement or respond to your preferences, questions, objections, right exercises and other communications regarding the treatment of personal data in accordance with the GDPR, Act No. 127/2005 Coll., on Electronic Communications, and Act No. 480/2004 Coll., on Information Society Services (in which case mainly your Privacy Control Data will be used);

(c) an obligation to conduct KYC/AML checks in accordance with Act No. 253/2008 Coll., on Measures against Money Laundering and Financing of Terrorism (in which case mainly your AML Data will be used); or

(d) an obligation to disclose evidence or other documentation to public authorities.

We’re entitled to process your personal data for such purposes under Article 6(1)(c) GDPR.

3.3 Operation and Improvement of Websites

Functioning

  • Description:
    If you visit our Website, we process your Device Data to ensure that the Website functions properly and securely. You should also note we use cookies for these purposes – see section 4 (Cookies) below.
  • Legal Basis:
    The processing is necessary for the fulfilment of our contract with you relating to the provision of the Websites (Article 6(1)(b) GDPR).

Improvement of performance

  • Description:
    If you visit our Website and give us consent, we’ll process your Usage Data to improve its performance and user-friendliness, including the testing of various versions of the Website and its functionalities, measuring of user engagement, and the creation of various reports, analyses and statistics based on the above. We may also use cookies for these purposes – see section 4 (Cookies) below.
  • Legal Basis:
    The legal basis for such processing is your voluntary consent (Article 6(1)(a) GDPR). Once given, your consent is valid for as long as the respective analytics cookie remains active – see section 4 (Cookies) below. You may withdraw your consent at any time by opting out of analytics cookies on the respective Website. Such withdrawal will, however, not affect the lawfulness of processing based on the consent before its withdrawal.

3.4 Recruitment

Hiring process

  • Description:
    If you apply for a job at RockawayX, we’ll use your Identification Data, Contact Data and Candidate Data for the purpose of conducting the recruitment process and assessing your suitability for the relevant position.
  • Legal Basis:
    The processing is necessary for determining whether or not, following your application, we should enter into a contract of employment/contract for services with you (Article 6(1)(b) GDPR).

Job offers

  • Description:
    If you apply for a job at RockawayX and give us consent, we’ll include your Identification Data, Contact Data and Candidate Data in a candidate database shared by all RockawayX Companies and potentially contact you with relevant job offers with the RockawayX Companies in the future.
  • Legal Basis:
    The legal basis for such processing is your voluntary consent (Article 6(1)(a) GDPR). Once given, your consent is valid for a period of 5 years. You may withdraw your consent at any time by notifying RockawayX (see section 1.4 (Get in Touch) above). Such withdrawal will not, however, affect the lawfulness of processing based on the consent before its withdrawal.

3.5 Marketing and Events

Newsletters

  • Description:
    If you subscribe to one of our newsletters, or if you enter into a work relationship with us (without opting out of newsletters), we’ll be able to use your Contact Data to send you such relevant newsletter by e-mail until you unsubscribe from it.
  • Legal Basis:
    If you subscribe to one of our newsletters, the legal basis for such processing is your voluntary consent (Article 6(1)(a) GDPR). Once given, your consent is valid indefinitely. You may withdraw your consent at any time by notifying RockawayX (see section 1.4 (Get in Touch) above). Such withdrawal will, however, not affect the lawfulness of processing based on the consent before its withdrawal.
    In cases where we send you newsletters because of your work relationship with us, the legal basis for the processing is our legitimate interest in keeping our team updated on the performance of, and other developments throughout, RockawayX and its affiliates (Article 6(1)(f) GDPR). You can still opt out of newsletters at any time (see section 1.4 (Get in Touch) above), in which case you will no longer receive them.

Direct marketing analytics

  • Description:
    If you read or further interact with a newsletter, corporate event invitation or a similar mass communication sent via MailChimp or a similar service, we’ll receive your E-Mail Interaction Data and be able to use it for various (internal) analytical purposes.
  • Legal Basis:
    The processing is necessary for our legitimate interest of evaluating the performance of our marketing communications such as newsletters and corporate event invitations (Article 6(1)(f) GDPR). You can opt out of newsletters and invitations at any time (see section 1.4 (Get in Touch) above), in which case you will no longer receive them.

Event invitations

  • Description:
    If you enter into a work or business relationship with us (without choosing to opt out of event invitations), we’ll use your Contact Data to invite you to various corporate events held by RockawayX which are relevant for you, until you opt out of such invitations.
  • Legal Basis:
    The processing is necessary for our legitimate interest of staying in touch (networking) with our stakeholders and business partners, and for spreading awareness about our group and events (Article 6(1)(f) GDPR). You can opt out of invitations at any time (see section 1.4 (Get in Touch) above), in which case you will no longer receive them.

Photos from events

  • Description:
    If you attend an event held by RockawayX, then, unless you object, we may take Photos of (among others) you and post such Photos on our Websites, social media, and our corporate or marketing reports, newsletters, brochures and other materials. We’ll be able to keep using such Photos in the described manners until you ask for them to be taken (and kept) down.
    We will never use Photos if – erring on the side of caution – we find them capable of causing any type of harm (including disrepute) to you or anyone else.
  • Legal Basis:
    The processing is necessary for our legitimate interest of (a) adding content to our Websites, social media, and our corporate or marketing reports, newsletters, brochures and other materials, and (b) spreading awareness about our group and events (Article 6(1)(f) GDPR). You can ask for Photos to be taken (and kept) down, to be un-tagged from Photos etc. at any time (see section 1.4 (Get in Touch) above), in which case we will do so immediately.

Targeting

  • Description:
    If you visit our Website and give us consent, we’ll collect and hand some of your Usage Data over to third parties so that they can serve you more relevant ads. We use cookies for these purposes – see section 4 (Cookies) below.
  • Legal Basis:
    The legal basis for such processing is your voluntary consent (Article 6(1)(a) GDPR). Once given, your consent is valid for as long as the respective marketing cookie remains active – see section 4 (Cookies) below. You may withdraw your consent at any time by opting out of marketing cookies on the respective Website. Such withdrawal will, however, not affect the lawfulness of processing based on the consent before its withdrawal.


3.6 Enforcement of Rights; Safety Measures

Enforcement of rights

  • Description:
    If (a) you have a work or business relationship with us, (b) cause us or another person damage or harm, or (c) we end up having a legal dispute, we may store, share and further use your personal data for the purpose of establishing, exercising and defending the affected person’s rights against you.
  • Legal Basis:
    The processing is necessary for the affected person’s legitimate interest in establishing, exercising and defending its rights against you (Article 6(1)(f) GDPR).

Office safety

  • Description:
    At our offices, we record and retain CCTV Footage for the purpose of protecting our and others’ property and ensuring the safety of our personnel. If you visit our offices, you may appear in such CCTV Footage.
  • Legal Basis:
    The processing is necessary for our legitimate interest in protecting our and others’ property and ensuring the safety of our personnel (Article 6(1)(f) GDPR).

3.7 Other Purposes

Dealings not described elsewhere

  • Description:
    If you turn to us with a request or question or otherwise communicate with us in a context not specifically addressed elsewhere in this Policy, we’ll use your Identification Data, Contact Data and Communications Data for achieving the purpose of the communication.
  • Legal Basis:
    We’re entitled to do so either because you have voluntarily contacted us with the personal data and asked us (given us consent) to do something with it (Article 6(1)(a) GDPR), or, in other cases, because it’s necessary for our legitimate interest of properly handling all communications addressed to us (Article 6(1)(f) GDPR).

M&A transactions

  • Description:
    If a third party (‘an investor’) is interested in acquiring, directly or indirectly, the whole or a part of our business (a ‘transaction’), we may
    (a) grant the investor and its advisors very limited access to your personal data so that the investor may conduct due diligence on our business, and
    (b) following the transaction, transfer your personal data to the investor such that it can process the data for the same or compatible purposes as we have been.
  • Legal Basis:
    The processing is necessary for our and the investor’s legitimate interest in (a) preparing and executing the transaction properly (including the proper evaluation of our business and assets) and (b) ensuring smooth migration of our business to the investor following the transaction (Article 6(1)(f) GDPR).

Analytics

  • Description:
    We may use your personal data for the purpose of creating various internal reports, analytics, statistics and financial models.
  • Legal Basis:
    The processing is necessary for our legitimate interest in maximizing insight into business performance (Article 6(1)(f) GDPR).

Free use of anonymized data

  • Description:
    We may also anonymize your personal data and use such anonymized data for any purposes whatsoever, such as the inclusion of the anonymized data in various materials which may then be shared with, or even sold to, third parties, or the commercialization of the anonymized data in any other manner we deem fit.
  • Legal Basis:
    The processing is necessary for our legitimate interest in sharing insights into our business performance with our stakeholders and other third parties, and, potentially, commercializing such insights (Article 6(1)(f) GDPR).

3.8 Employment and work Purposes

If you’re our  Employee, Intern, Contractor or freelancer operating under service agreements, to the extent you perform work akin to that of an employee with RockawayX, we may use your Identification Data, Contact Data, Transactional Data, Photos, Contractual Data, Payroll Data, Attendance Data, IT and Access Data, Health Data and Emergency Contact Data, CCTV Footage, Communications Data and Communication Data of Interns or Employees to communicate with you, doing business with you, employ you, and to administer such a relationships with you on an ongoing basis. This includes the preparation, negotiation and performance of our legal agreements, accepting or making payments from/to you, the processing of any requests and queries you might have, protect your safety and safety of other persons that are with Rockawayx, fulfilling regulatory labor requirements

We’re entitled to process your personal data for such purposes because it is necessary for the preparation or fulfilment of our contract with you (Article 6(1)(b) GDPR), or, where no contract is in place and we’re not negotiating one, becauseit is necessary for the proper operation and administration of our business, in which we have a legitimate interest (Article 6(1)(f) GDPR) and we’re entitled to process your personal data for purposes of fulfilling regulatory labor requirements under Article 6(1)(c) GDPR.

4 Cookies



4.1 If you visit our Websites, we’ll store small files called ‘cookies’ on your device and read them as you continuebrowsing the Websites. You may encounter the following types of cookies on our Websites:

(a)  Strictly necessary cookies. These cookies are necessary for the Websites to work properly and cannot be turned off unless you do so in your browser settings.

(b) Personalization cookies. Personalization/preference cookies allow the Websites to remember certain choicesyou make (such as your preferred language version) and as a result provide personalized features. They will only be used if you accept them proactively.

(c) Analytical cookies. Analytical/statistical cookies collect data about how you visit, navigate and interact with the Websites so that we can get to know our audience or improve the Websites gradually. The Google Analytics service is a good example of this type of cookies. These cookies will only be used if you accept them proactively.

(d) Marketing. Marketing cookies are used to deliver advertisements which are relevant to you and your interests. They are also used to limit the number of times you see an advertisement and to help measure the effectiveness of our or others’ advertising campaigns. Information extracted from marketing cookies may be shared with thirdparties, such as social network operators or advertising agencies. These cookies will only be used if you accept them proactively.

4.2 At the moment, we use the following specific cookies on our Websites:

Cookiehub

  • Type and Purpose:
    Necessary. Used by CookieHub to store information about whether visitors have given or declined the use of cookie categories used on the site.
  • Storage Length:
    1 year
  • First Party / Third Party:
    Third Party (CookieHub)

_ga

  • Type and Purpose:
    Analytics. Contains a unique identifier used by Google Analytics to determine that two distinct hits belong to the same user across browsing sessions.
  • Storage Length:
    2 years
  • First Party / Third Party:
    Third Party (Google)

ga

  • Type and Purpose:
    Analytics. Contains a unique identifier used by Google Analytics 4 to determine that two distinct hits belong to the same user across browsing sessions.
  • Storage Length:
    2 years
  • First Party / Third Party:
    Third Party (Google)

4.3 You can use the cookie banner on our Websites adjust your preferences for storage of different types of cookies; this doesn’t apply to strictly necessary cookies, which are set automatically and cannot be disabled in the cookie banner.

4.4 If you’d like to avoid cookies altogether, you can restrict or prohibit their storage in the settings of your browser. This is how to do it on the most prominent browsers:

Google Chrome

Microsoft Edge

Safari

Mozilla Firefox

 Opera

4.5 You can opt out of Google Analytics tracking completely here.


5 Persons with Access to Your Data

5.1 We may engage the following individuals and organizations in processing your personal data for the purposes described above:

(a) other RockawayX Companies (e.g. Blockad Advisory FZE, ID No. 3132, RockawayX Infra Ltd. ID No 426390 );

(b) professional advisors (e.g. lawyers, business/management/marketing consultants, tax and accounting advisors and auditors, payroll and accounting providers) which provide services to the RockawayX Companies;

(c) banks and other payment services providers used by the RockawayX Companies to process payments;

(d) providers of software and other technical infrastructure (e.g. cloud and hosting services) which provide services to the RockawayX Companies;

(e) providers of analytical or ad targeting services (mainly Google via the Google Analytics service and Facebook via its marketing cookies);

(f)  agencies and websites used for recruitment purposes (e.g. Human Capital Advisory Group, Grafton Recruitment, COCUMA, Jobs.cz, executivejob.cz, Techloop.io, AirJobs.cz, and similar);

(g) other providers of services necessary for the proper operation of our business;

(h) persons directly or indirectly acquiring or investing in our business, and their representatives;

(i) public authorities (e.g. courts, the police, tax or labor inspectors, regulatory authorities and various state bodies)where so required by law or where this is necessary for the achievement of legitimate aims; and

(j) any such other individuals or organizations which you permit or instruct us to give your personal data to.

5.2 Whenever we post an ad for a job at RockawayX on one of our Websites, we’ll forward all responses to this ad to Blockad s.r.o., ID No. 080 06 458, or another RockawayX company specified in the job ad (if applicable). In this case we process your personal data on behalf of the respective RockawayX company as a so-called ‘processor’ (whereas the respective RockawayX company is the ‘controller’); we don’t process the data for our own purposes. You’ll find more information about how RockawayX processes your application here.

5.3 In the cases of data processing by other entities listed under art. 5.1 of this Policy, RockawayX ensures that your personal data is adequately protected and where applicable, RockawayX concludes a data processing agreement, binding the relevant processor to fulfill the requirements under relevant laws and regulations.

5.4 We maintain physical, electronic and organizational measures to protect your data, including restricted access, secure servers, and encrypted communication. Access is granted strictly on a need-to-know basis.

6 Data Export

We may transfer some of your personal data outside of the European Economic Area where the GDPR doesn’t apply. This will typically (but not exclusively) be:

(a) the United Kingdom and Switzerland, each of which has been determined by the European Commission to ensure an adequate level of protection of personal data (a so-called ‘adequacy decision’); o

(b) the United States, Cayman Islands, The United Arab Emirates in which case we use the standard contractualclauses (SCCs) adopted or approved by the European Commission or other safeguards accepted by the GDPR.

7 Data Retention

7.1 As a general rule, we store your data until they are no longer necessary for the achievement of the purposes, we process them for. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the data, the potential risk of harm from its unauthorized disclosure or other processing, the purposes for which we process the data and whether we can achieve those purposes through other means, as well as the applicablelegal, regulatory, tax, accounting or other requirements. Once we no longer need your data, we will either erase (destroy) it, anonymize it, or, if this is not possible, then we will securely archive your data and isolate it from any further use until deletion is possible.

7.2 To give you a more exact idea, the following are some of the more specific principles we follow:

(a) CCTV Footage is automatically overwritten every 2 months, unless extended due to security incidents;

(b) if we process a certain piece of personal data based on your consent and you withdraw such consent or the consent expires, we’ll erase the data after such withdrawal or expiration unless this Policy states we may process the data for a different purpose, on a different legal basis;

(c) if we are required by law to retain a certain piece of personal data (see e.g. Act No. 586/1992 Coll., on IncomeTax, Act No. 235/2004 Coll., on Value Added Tax, Act No. 563/1991 Coll., on Accounting, Act No. 499/2004Coll., on Archiving or Act No. 253/2008 Coll., on Measures Countering Money Laundering and Financing ofTerrorism, Act No. 262/2006 Coll. Labour Code), we’ll keep the data for as long as the law prescribes, irrespective of any default retention period;

(d) if we find ourselves in a dispute with you, we’ll keep personal data needed to establish, exercise or defend our rights in such dispute (see first row of section 3.6 (Enforcement of Rights; Safety Measures)) at least until suchtime the dispute has been concluded and we no longer owe each other anything, irrespective of any default retention period;

(e) if we anonymize a certain piece of data, we can retain it indefinitely.

7.3 In some cases, you have the right to demand that we erase your personal data – see section 9.4 (Right to Erasure).

8 Security

Any personal data we process is kept strictly confidential and secure. Our Websites possess a valid certificate issued by a trusted security authority and your personal data is protected using Secure Socket Layers (SSL) as it passes betweenyou and the Website. That means the information is encrypted and can’t be intercepted by an attacker. We follow best practices in information security to protect your personal data during transmission and once we receive it, meaning onlyauthorized persons are permitted to access it. All such persons with access are bound by confidentiality agreements.

9 Your Rights

9.1 General

(a) In order to retain control over your personal data, you have a multitude of rights at your disposal. Such rights are summarized further in this section, but note this summary is simplified and you should read the GDPR or obtain independent legal advice to get a full picture.

(b) If you wish to exercise one of your rights or want to raise another request or query in connection with your personal data, please reach out using one of the means set out in section 1.4 (Get in Touch).

(c) We’ll respond to your request and let you know what steps we’ve decided to take in relation to it as soon as possible, and no later than 1 month from the time we’ve received a clear, complete request from you and haveverified your identity. Particularly complicated requests might exceptionally take us up to 2 more months to sort out – we’ll let you know if this happens to be the case.

9.2 Right of Access

You may at any time request confirmation as to whether we process personal data concerning you and, if so, for whatpurposes, to what extent, to whom they are disclosed, for how long we will process them, whether you have the right torectification, erasure, restriction of processing or objection or to file a formal complaint, where we have obtained the personal data and whether automated decision-making, including profiling, occurs on the basis of the processing of your personal data. In addition, you have the right to obtain a copy of your personal data, the first provision of which is free ofcharge (we may charge a reasonable administrative fee for the provision of further copies).

9.3 Right to Rectification

You can ask us to correct or complete your personal data at any time if it is inaccurate or incomplete.

9.4 Right to Erasure (‘Right to Be Forgotten’)

You can ask us to erase your personal data if:

(a) it is no longer necessary for the purposes for which it was collected or otherwise processed;

(b) it is processed based on your consent, you withdraw such consent and no other legal basis for processing is available;

(c) you object to the processing and there are no overriding legitimate grounds for the processing;

(d) its processing is unlawful; or

(e)   we are required to do so by law.

Please understand that the right to erasure is not absolute (unconditional); for example, we may not be able to delete your data if we need to retain it in order to establish, exercise or defend legal claims, or if an important public interest prevents erasure.

9.5 Right to Restriction of Processing

Where one of the following circumstances applies, you can ask us to pause (‘suspend’) processing your personal datawith the exception of storage, and to only use them for establishing, exercising or defending legal claims or for purposes with which you give consent:

(a) you challenge the accuracy of the processed data (in which case we’ll restrict its processing until we verify accuracy);

(b) processing of the data is unlawful and you don’t want us to erase it;

(c) we no longer need the data for the purposes for which it was collected or otherwise processed; or

(d) you have objected to the processing and there are no overriding legitimate grounds for the processing (in which case we’ll restrict its processing pending our assessment of the legitimate grounds).

9.6 Right to Object

You have the right to object to the processing of personal data that we process for direct marketing purposes (see e.g. section 3.5 (Marketing and Events)) or for processing based on our or others’ legitimate interests. If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes; in other cases, we’ll stop the processing activity if your own interests outweigh our interests in continuing the processing.

9.7 Right to Data Portability

You have the right to obtain personal data concerning you that you have provided to us in a structured, commonly usedand machine-readable format, as well as the right to transfer this data to another controller if the processing of this data is based on consent or a concluded contract and this processing is automatic.

9.8 Right to Lodge a Complaint

While we will always appreciate if you contact us first in case of any requests regarding the processing of personal data, you always have the right to file a complaint to the supervisory authority. In our case which is the Czech Office forPersonal Data Protection (Úřad pro ochranu osobních údajů) at Pplk. Sochora 727, 170 00 Prague 7 – Holešovice, Czech Republic (www.uoou.cz).

10 Final Provisions

10.1 This Policy becomes effective on the date first written above.

10.2 We may make changes to this Policy at any time, in which case we’ll publish a new version of it on our Websites.

10.3 This Policy is governed by the laws of the European Union and, beyond the scope of EU law, the laws of the Czech Republic.