1. Introduction This Privacy Policy ("Policy") explains how IWE Advisory, s.r.o. ("Company," "we," "us," or "our") collects, uses, discloses, and safeguards your personal data when you use our consulting services, visit our website, or interact with us in any capacity. We are committed to protecting your privacy and ensuring you have a positive experience on our platforms and when engaging with our services. Please read this Privacy Policy carefully. If you have questions about this policy or our privacy practices, contact us using the information provided below. This Privacy Policy is governed by the General Data Protection Regulation (GDPR) (EU) 2016/679 and applies to all natural persons whose personal data we process. As a consulting business operating in the European Union, we comply with all applicable EU and Czech data protection legislation. 2. Data Controller Information Company: IWE Advisory, s.r.o. Business Type: Management Consulting / Fractional Advisory Services Email: contact@iwe-advisory.com Registration Number: 09800492 3. Personal Data We Collect We collect personal data only when necessary to provide our advisory services and operate our business. The categories of personal data we may collect include: 3.1 From Clients and Prospective Clients • Identification Data: Name, professional title, company name, business registration numbers • Contact Information: Email address, phone number, postal address, office location • Professional Information: Job title, department, professional background, credentials • Communication Data: Records of conversations, emails, meeting notes, project discussions • Financial Information: Billing address, payment method, invoicing details, purchase history • Service Usage Data: Engagement scope, project timeline, deliverables, performance metrics 3.2 From Website Visitors • Technical Data: IP address, browser type, device type, operating system • Cookies and Tracking: Cookie identifiers, usage patterns, browsing behavior, pages visited • Analytics Data: Time spent on site, referral source, links clicked, downloads initiated • Voluntary Submissions: Contact form submissions, inquiry details, consultation requests 3.3 From Job Applicants • Personal Data: Name, date of birth, contact information, professional history • Employment Data: Resume/CV, cover letter, qualifications, experience, references • Communication Data: Interview notes, assessment results, evaluation feedback 3.4 From Service Vendors and Partners • Business Contact Data: Name, company, email, phone, business address • Transaction Data: Payment records, contract terms, service agreements 4. Legal Basis for Processing We process personal data only on valid legal bases as defined in Article 6 of the GDPR: Category of Data | Purpose | Legal Basis • Client Identification & Contact Data | Performing advisory services and client engagement | Contract (Art. 6(1)(b)) • Project Communication & Deliverables | Fulfilling contractual obligations and service delivery | Contract (Art. 6(1)(b)) • Financial & Billing Data | Invoice generation, payment processing, accounting| Contract & Legal Obligation (Art. 6(1)(b), (c)) • Website Analytics & Technical Data | Improving website functionality and user experience | Legitimate Interest (Art. 6(1)(f)) • Email Communication & Newsletters | Marketing communications (with prior consent) | Consent (Art. 6(1)(a)) • Job Applicant Data | Recruitment and employment evaluation | Contract Preparation & Legal Obligation (Art. 6(1)(b), (c)) • Vendor & Partner Data | Managing business relationships and contracts| Contract & Legitimate Interest (Art. 6(1)(b), (f)) • Regulatory Compliance Records | Tax, accounting, and legal compliance | Legal Obligation (Art. 6(1)(c)) 5. Purposes of Processing We process your personal data for the following purposes: 1. Service Delivery: To provide fractional advisory services (CFO, COO, CMO, CBO, or other roles), including planning, execution, reporting, and client communication 2. Contract Performance: To fulfill our contractual obligations, manage engagements, deliver deliverables, and handle service-related inquiries 3. Business Administration: For billing, invoicing, payment processing, accounting, and financial recordkeeping 4. Communication: To respond to inquiries, provide updates, send service-related notifications, and maintain professional correspondence 5. Marketing: To send promotional materials, newsletters, and business development communications (only with your consent) 6. Website Operations: To maintain website functionality, analyze usage patterns, improve user experience, and ensure cybersecurity 7. Recruitment: To evaluate job applications, conduct interviews, and manage the employment process 8. Legal Compliance: To meet tax obligations, regulatory requirements, data protection laws, and contractual obligations 9. Dispute Resolution: To address disputes, enforce contracts, and protect our legal rights 10. Security: To detect fraud, prevent unauthorized access, and protect against malicious activity 6. Data Retention We retain your personal data only as long as necessary to fulfill the purposes outlined in this Privacy Policy or as required by applicable law. Retention Periods: • Client Data: Retained for the duration of the consulting engagement plus 7 years for accounting and tax purposes (Czech tax law requirement) • Contract & Invoice Data: 7 years (Czech Accounting Act requirement) • Communication Records: 3 years after the last communication or contract termination • Website Cookies & Analytics: As configured in cookie settings (typically 12-24 months) • Job Applicant Data: 1 year from application date (unless hired, then follows employment records policy) • Marketing List Data: Until withdrawal of consent or opt-out request • Security Logs: 30-90 days for intrusion detection purposes After the retention period expires, we securely delete or anonymize your personal data unless legal obligations require longer retention. 7. Data Sharing and Recipients We do not sell your personal data. However, we may share your personal data with the following categories of recipients: 7.1 Service Providers We engage third-party service providers to assist with operations: • Cloud Storage Providers: For secure document storage and project management • Email Service Providers: For communication and newsletter distribution • Payment Processors: For secure payment processing and transaction management • Accounting Software: For billing, invoicing, and financial record management • Hosting Providers: For website and application infrastructure 7.2 Professional Advisors • Accountants and bookkeepers (for financial compliance) • Legal advisors (for contract review and dispute resolution) • Auditors (for financial and compliance audits) 7.3 Business Partners With your explicit consent or when necessary for service delivery: • Co-consultants or subcontractors assisting with your project • Affiliated consulting/ advisory professionals • Strategic partners contributing to your engagement 7.4 Legal and Regulatory Authorities When required by law: • Czech tax authorities (for tax compliance) • Data protection authorities (for regulatory inquiries) • Courts and law enforcement (for legal proceedings) • Regulatory bodies (for compliance verification) 7.5 Business Transfers If our company is sold, merged, or undergoes restructuring, your personal data may be transferred as part of that transaction, subject to confidentiality agreements. All recipients are bound by confidentiality obligations and contractual Data Processing Agreements (DPAs) where applicable. 8. International Data Transfers Our primary operations are based in the Czech Republic, and we primarily process data within the EU/EEA. However, if we transfer personal data outside the EU/EEA (to non-adequacy countries), we ensure appropriate safeguards: • Standard Contractual Clauses (SCCs): For transfers to third countries, we use EU-approved SCCs • Adequacy Decisions: Only to countries with an EU adequacy decision • Your Explicit Consent: Where required by law, we obtain your prior written consent We inform you of specific transfers when relevant to your engagement. 9. Your Data Protection Rights Under the GDPR, you have the following rights: 9.1 Right of Access (Article 15) You have the right to request access to your personal data and receive information about how we process it. We will respond within 30 days. How to exercise: Email your request to contact@iwe-advisory.com with "Data Access Request" in the subject line. 9.2 Right to Rectification (Article 16) You have the right to request correction of inaccurate or incomplete personal data. How to exercise: Send a request identifying the inaccurate data and the correct information to contact@iwe-advisory.com. 9.3 Right to Erasure (Article 17) You have the right to request deletion of your personal data under certain conditions (e.g., when data is no longer necessary, or you withdraw consent). Note: We may retain data if required by law. How to exercise: Submit a "Data Deletion Request" to contact@iwe-advisory.com with justification. 9.4 Right to Restrict Processing (Article 18) You may request that we limit how we process your personal data, especially if you dispute its accuracy or our use of it. How to exercise: Email contact@iwe-advisory.com with "Restriction of Processing Request" in the subject. 9.5 Right to Data Portability (Article 20) You have the right to receive your personal data in a structured, commonly-used, machine-readable format and request that we transmit it to another organization. How to exercise: Submit a "Data Portability Request" to contact@iwe-advisory.com. 9.6 Right to Object (Article 21) You have the right to object to processing based on legitimate interests or marketing communications. How to exercise: Email contact@iwe-advisory.com with "Objection to Processing" and specify your grounds. 9.7 Right to Withdraw Consent (Article 7) If we process data based on your consent, you may withdraw consent at any time. Withdrawal does not affect the legality of processing before withdrawal. How to exercise: Send a written withdrawal request to contact@iwe-advisory.com. 9.8 Rights Related to Automated Decision-Making (Article 22) You have the right not to be subject to decisions based solely on automated processing that produces legal effects or significantly affects you. Note: We do not engage in automated decision-making or profiling that produces legal consequences. 9.9 Exercising Your Rights To exercise any of these rights, contact us at: Email: contact@iwe-advisory.com Please include sufficient information to identify you and specify which right you are exercising. We will respond within 30 days (extendable to 90 days for complex requests). Responses to data access requests are provided free of charge, unless requests are manifestly unfounded or excessive. 10. Data Security We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction: 10.1 Technical Safeguards • Encryption: Data in transit (TLS/SSL) and at rest (AES-256 or equivalent) • Access Controls: Role-based access, authentication (multi-factor where applicable), password policies • Network Security: Firewalls, intrusion detection, regular vulnerability assessments • Data Backup: Regular automated backups stored securely with recovery procedures • Patch Management: Timely application of security updates to all systems 10.2 Organizational Safeguards • Staff Training: Privacy and security awareness training for all employees • Data Protection by Design: Privacy considerations in all new projects and processes • Vendor Assessment: Security evaluations of third-party service providers • Incident Response Plan: Procedures for detecting, responding to, and reporting data breaches • Access Restrictions: Personal data access limited to authorized personnel with legitimate need 10.3 Limitations While we implement robust security measures, no system is completely secure. We cannot guarantee absolute protection against all possible threats. You are responsible for maintaining the confidentiality of credentials and passwords you provide. 11. Cookies and Tracking Technologies Our website uses cookies and similar tracking technologies to enhance functionality and analyze usage: 11.1 Types of Cookies Essential Cookies: Required for website functionality (e.g., session management, security). These cannot be disabled without impairing site functionality. Analytics Cookies: Used to understand website traffic and user behavior (e.g., Google Analytics). These help us improve our website and services. Marketing Cookies: Track your interactions for targeted advertising and marketing purposes. Third-Party Cookies: Set by external partners for analytics, advertising, or social media functionality. 11.2 Your Cookie Preferences You have the right to control cookies: • Cookie Consent Banner: A consent banner appears on first visit; adjust your preferences via the banner • Browser Settings: Disable cookies through your browser settings (note: some features may not work properly) • Opt-Out Links: You may opt out of analytics and marketing cookies through our cookie management interface • Do Not Track (DNT): We honor DNT signals where applicable 11.3 Cookie Retention Cookies are typically retained for 12-24 months, depending on type and purpose. Refer to individual cookie details in our Cookie Policy. 12. Third-Party Links Our website may contain links to third-party websites. We are not responsible for their privacy practices. Please review their privacy policies before providing personal data. 13. Children's Privacy Our advisory services are intended for business professionals and are not directed to children under 18 years old. We do not knowingly collect personal data from children. If we become aware that a child has provided personal data, we will take steps to delete it promptly. 14. Changes to This Privacy Policy We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by: 1. Posting the revised policy on our website with an updated effective date 2. Sending email notification to significant changes (if you have provided an email) 3. Requiring explicit consent for fundamental changes to processing practices Your continued use of our services after changes become effective constitutes your acceptance of the updated Privacy Policy. Last Updated: January 14, 2026 Effective Date: January 14, 2026 15. Contact Information and Data Protection Authority If you have questions about this Privacy Policy or wish to exercise your data protection rights, please contact us: Data Protection Inquiry: contact@iwe-advisory.com General Inquiries: contact@iwe-advisory.com If you believe we have violated your data protection rights or are dissatisfied with our response, you have the right to lodge a complaint with the Czech data protection authority: Office for Personal Data Protection (ÚOOÚ) Pplk. Sochora 27 170 00 Prague 7 Czech Republic Website: https://www.uoou.cz/ Email: posta@uoou.cz Phone: +420 234 665 830 You also have the right to lodge a complaint with any EU/EEA data protection authority where you reside or work. 16. Definitions • Personal Data: Any information relating to an identified or identifiable natural person • Processing: Any operation performed on personal data (collection, storage, use, transmission, deletion) • Data Controller: The entity determining purposes and means of processing (our Company) • Data Processor: The entity processing data on behalf of the controller (our service providers) • GDPR: General Data Protection Regulation (EU) 2016/679 • Legitimate Interest: Our business interests in processing data, balanced against your privacy rights ________________________________________ Appendix: Data Processing Activities Summary Processing Activity | Data | Categories | Legal Basis | Recipients | Retention • Consulting Service Delivery | Identification, contact, professional, communication| Contract | Service team, subcontractors | Duration + 7 years • Billing and Invoicing | Financial, identification, contact | Contract, Legal Obligation | Accountant, payment processor | 7 years • Website Analytics | Technical, behavioral, IP address | Legitimate Interest | Analytics provider | 12-24 months • Marketing Communications | Email, contact, preferences | Consent | Email service provider | Until opt-out • Employee Records | Personal, employment, communication | Contract, Legal Obligation | HR, payroll, authorities | Employment + statutory period • Job Applications | Personal, employment, qualification | Contract Preparation | Recruitment team, decision makers | 1 year • Vendor Management | Business contact, transaction | Contract, Legitimate Interest | Finance, procurement | Contract duration + 7 years • Security & Fraud Prevention | Technical, behavioral, IP | Legitimate Interest | Security systems, authorities | 30-90 days ________________________________________