PriServices and Affiliates Privacy Statement

1. Introduction

Welcome to the joint privacy statement of PriServices B.V. and its affiliates: PriPost B.V., PriParcel B.V., PriOffice B.V. and PriTelecom (hereinafter collectively referred to as "we" or "us"). This statement explains how we process personal data when you use our services, websites and (online) portals, including the services of:

• PriPost: Mail processing and forwarding;
• PriParcel: Shipping and forwarding of (parcel) shipments;
• PriOffice: Office and workplace services (membership form);
• PriTelecom: Telecommunications services;
• PriServices: Management of financial aspects, deposit and administration for the above-mentioned services.

We would like to inform you transparently about what data we collect, for what purpose, how long we keep it and what rights you have. The processing of personal data by us complies with the relevant European and national privacy legislation, including the General Data Protection Regulation (GDPR).

2. Controller and Processor

• In many cases, PriServices B.V. is a processor for the subsidiaries (PriPost, PriParcel, PriOffice) that themselves act as controllers.
• PriTelecom is a trade name of PriServices B.V. and in that case acts as the controller.
• For some situations in which we process personal data of end users or third parties (e.g. for PriPost) (such as scanning mail), we enter into a separate processing agreement (DPA).
• In this privacy statement, we collectively refer to ourselves as the "PriServices Group".

Questions about your data?
Please contact us using the contact details at the bottom of this statement.

3. What data do we process and for what purpose?

3.1 General data (Account, Invoicing, Deposit)

When you sign up for one of our services, we create an account in our PriPortal. We process:

• Basic data: name (first and last name), company name, address, e-mail address, telephone number;
• Financial data: payment data, billing address, Depot transactions, collection data;
• Communication: correspondence with customer service, questions and comments via the PriPortal.

Purpose & basis

• Performance of the Agreement for invoicing, provision of services and account management;
• Legal obligation for our financial administration (7 years retention obligation).

3.2 PriPost

For PriPost (mail processing and forwarding) we process:

• Postal address details: the address where we receive mail on your behalf;
• Details of addressees (if any);
• Scans of mail (if you purchase that service). Mail scans may contain (special) personal data of third parties.
• KYC/WWFT data (copy of ID, Chamber of Commerce extract, etc.), legally required for domicile.

Purpose & basis

• Performance Agreement to receive, scan, forward your mail;
• Legal obligation (WWFT) for identification/domicile control;
• Legitimate interest to prevent fraud, verify addresses.

Data processing agreement
When we scan mail that contains personal data of third parties, we can act as a processor on your behalf. In that case, our General Data Processing Agreement (DPA) for PriPost applies. You can view and print these via the following link:
https://www.legaldocs.center/priservices/t01-en-post-dpa.html

3.3 PriParcel

For PriParcel (shipping of parcels) we process:

• Name and address details of sender and addressee;
• Content Data (limited to what is necessary, we do not generally monitor content unless there is a legal suspicion of prohibited goods).
• Tracking data (shipping status, transport information).

Purpose & basis

• Performance Agreement to create and handle shipments with carriers;
• Legal obligation (customs legislation) in the case of international shipments;
• Legitimate interest to detect fraud or abuse (e.g. control of dangerous goods).

Data processing agreement
If you (as a webshop) choose to have PriParcel process returns or data of your customers, a separate DPA may apply. You can view and print these via the following link:
https://www.legaldocs.center/priservices/t01-en-parcel-dpa.html

3.4 PriOffice

For PriOffice (office and workplace services) we process:

• Membership data: name, company name, contact details;
• Possibly ID details and Chamber of Commerce extract for domicile (if relevant);
• Access registration for the workplace (check-in and check-out, reservations).

Purpose & basis

• Implementation of the Agreement for membership and office services;
• Legal obligation (WWFT) for certain direct debits.
• Legitimate interest to ensure order and safety in the office location.

3.5 PriTelecom

For PriTelecom (telecommunication services, trading under PriServices B.V.) we process:

• Communication data: phone number, call metadata (time, duration, destination).
• Identification: Subscriptions and number porting may require ID and address verification.
• Traffic data (to the extent permitted by law), in compliance with the Telecommunications Act.

Purpose & Basis

• Performance of the Agreement for telephony/VoIP services;
• Legal obligation under the Telecommunications Act (including retention obligation in limited cases);
• Legitimate interest (fraud prevention, network security).

3.6 KYC/AML checks

For certain services (PriPost, PriOffice, PriTelecom) we are obliged to verify the identity of our customers (WWFT). This may include:

• Document control (ID, passport, etc.);
• Adverse Media and AML check (screening against sanctions lists).

For our ID check and KYC check, we use software and the services of ZignSec AB, a company based in Stockholm (Sweden). The actual processing (including viewing ID documents) takes place entirely in the EU by our own employees and/or sub-processors within the EEA.

4. Retention periods

• Financial data: 7 years (tax hold).
• WWFT data (KYC/AML): 5 years after the end of the customer relationship, in accordance with the law.
• Account data: for as long as necessary for the performance of our services. If you terminate your account, we will delete the data after 12 months, unless there is a legal ground to keep it longer.
• Automatic deletion: The supplier of our platform has an ISO 27701 and 27701 certification and automated processes have been implemented that delete data after the retention period has expired.

5. Sharing and transfer to third parties

1. Sub-processors and hosting
   • AgileGrowth Solution LLC-FZ (UAE) develops and maintains our PriPortal. They have technical access to the environment but only process your data on our behalf.
   • External scanning party (ISO certified) at PriPost, only on behalf of PriPost.
   • ZignSec AB (Sweden) for KYC/AML checks.
   • Hosting of our servers takes place within the EU (Amsterdam, Frankfurt).
2. External carriers
   • With PriParcel and PriPost (physical forwarding), we share shipping data with couriers or postal services. They are themselves responsible for the transport.
3. Legal obligations
   • We may be obliged to share data with (for example) the Tax and Customs Administration, Justice, Customs or other competent authorities when required to do so by law.
4. No commercial sales
   • We do not share and/or sell personal data with third parties for marketing, advertising, or other purposes.

6. Newsletters and marketing

• Existing business customers: we can inform you (incidentally) about our services or related offers, based on legitimate interest (business context). You can unsubscribe at any time via the unsubscribe link.
• Consumers/Private customers: we ask permission in advance for (digital) newsletters. Here too you can unsubscribe via the unsubscribe link.
• Personalization: we sometimes mention the first name in our mailing (to address the email personally). This is allowed because you have provided that data yourself. You can object to personalized email.

7. Cookies and tracking

• Consent: We display a cookie banner on our websites. You can indicate which cookies you allow (functional, analytical, marketing).
• Analytics: For example, we use Google Analytics. This can only be done with your consent (unless we anonymize IP addresses and use the advised privacy settings, depending on the implementation).
• Separate Cookie Statement: For more details about the cookies used, please refer to our Cookie Statement.

8. Security of personal data

We attach great importance to the careful and secure processing of your personal data. That is why we have taken technical and organizational measures that comply with the ISO 27001 and ISO 27701 standards. These standards provide a framework for the security of both general (ISO 27001) and privacy-related (ISO 27701) information. Our software supplier AGS, which develops and maintains the PriPortal, is ISO-certified and applies the same high standards.

Encryption (encryption)

• Encrypted storage:
  All PII (Personally Identifiable Information) that we process is stored in an encrypted manner. This applies in particular to passport data and other documents processed in the context of our services (such as KYC/AML checks).
• Encryption at rest and in transit:
  Where possible, we apply encryption, both when data is 'at rest' in our database(s) and when it is 'in transit' (e.g. via SSL/TLS when logging in and uploading/downloading files). As a result, unauthorized persons cannot gain access to the information, even if they gain unauthorized access to our systems.

Access management and authorizations

• Strict Authorization:
  PII data is only accessible to authorized employees, who necessarily need the data for the performance of their tasks (e.g. the compliance department in the event of a KYC check, or customer service in the event of an invoicing question).
• Role-based access control:
  We work with role- and task-based authorizations, so that an employee only gets the minimum rights that are necessary.
• Logging and monitoring:
  Access to sensitive data is logged and monitored. Any unauthorized access attempts can thus be detected.

Continuous maintenance and audits

• ISO 27001 and 27701 certification:
  In cooperation with our software supplier AGS, we meet the requirements of ISO 27001 (Information Security Management) and ISO 27701 (Privacy Information Management). These certifications are periodically tested by an independent auditor.
• Regular audits:
  We (and/or AGS) regularly conduct internal and external audits to assess and, if necessary, tighten the effectiveness of the security measures.
• Up-to-date software:
  Our servers and systems are patched regularly and security updates are implemented quickly.

Other measures

• Physical Security:
  The data centers in which our servers are located have strict access controls (such as biometric identification and 24/7 camera surveillance).
• Incident response:
  We have an incident response and data breach procedure in place, which outlines how we act and communicate if something unexpectedly goes wrong.

9. Rights of Data Subjects

1. Right of Access, Rectification, Deletion
   • You can view your data via the PriPortal or have it updated, insofar as legally permitted (e.g. if there is no tax or WWFT obligation to retain data).
   • Do you want to change your company name or name and address details? In that case, this can only be done through a contract takeover procedure (e.g. in the event of a change of legal form).
2. Right to Restriction and Objection
   • In certain cases, you have the right to restrict processing, or to object to processing based on our legitimate interest.
3. Right to Data Portability
   • Where applicable (e.g. in a B2C context), you can request a structured, commonly used and machine-readable format of your data.
4. Exercising Your Rights
   • You can exercise your rights in the PriPortal. In some cases, we will ask you for additional identification or information, especially when it comes to sensitive data.
   • Please be aware of legal retention periods (e.g. WWFT) that may prevent us from always complying with a request for deletion.

10. Complaints and contact

1. Questions or complaints
   • If you have any questions about your personal data, please contact our Privacy Officer via e-mail address privacy@priservices.eu.
2. Dutch Data Protection Authority
   • If you are not satisfied with the way we handle your personal data, you have the right to lodge a complaint with the national supervisory authority, in the Netherlands the Dutch Data Protection Authority.

11. Changes to this Privacy Statement

• We may change this Privacy Statement from time to time. The most recent version is always available on https://www.legaldocs.center/priservices/t01-en-privacy-statement.html.
• If we make any fundamental changes, you will be notified (e.g. by e-mail or via a notification in the PriPortal).

12. Concluding remarks

• One overarching explanation:
  This statement applies to PriServices B.V., PriPost B.V., PriParcel B.V., PriOffice B.V. and PriTelecom (trade name of PriServices B.V.), unless the Service-Specific Terms include additional or deviating rules that are permitted under the GDPR.
• In the event of any discrepancies or discrepancies between the English version of this declaration and the translations into other languages, the Dutch version shall prevail.
• Data processing agreements:
  For B2B customers who have their own customer data processed by us (e.g. PriPost scanning or PriParcel return service), we enter into separate DPAs. This privacy statement only refers to this; The specific legal framework is set out in the processing agreement.