Legal notice and privacy policy

According to the provisions of the General Data Protection Regulation, we inform you that we will process your personal data for the purpose of: [Providing or delivering the contracted service or product, and informing you about the products or services published on our website]. The personal data provided will be kept as long as the business relationship is maintained, the interested party does not request its deletion, or for 1 year from the last confirmation of interest, or for the time necessary to comply with legal obligations. The company will NOT make automated decisions. Data will not be transferred to third parties except in cases where there is a legal obligation, and we will process them based on [your consent or the execution of a contract]. Furthermore, we inform you of the possibility to exercise the following rights over your personal data: right of access, rectification, erasure or forgetfulness, limitation, opposition, portability, and to withdraw the consent granted, for which you can send an email to: hola@yamuve.com. In addition, the data subject may contact the competent Data Protection Authority to obtain additional information or file a complaint. Identifying data of the data controller: ARTURO CERDÁ VILAPLANA, 21668911J, C/ San José, 59, – ATICO B – 03440 – Ibi – ALICANTE

CONSENT

The purpose and intended use of the data itself and its processing are to provide the requested service or deliver the purchased product. Below, you can accept the purposes you consider appropriate by checking the corresponding box and clicking the ACCEPT button. Please note that some purposes may be necessary in order to provide/deliver the associated service/product. [ _ ] Provision of contracted service (If you agree to the processing of your data for this purpose, check this box) [ _ ] Delivery of the purchased product (If you agree to the processing of your data for this purpose, check this box) [ _ ] Sending offers of products and services of interest (If you agree to the processing of your data for this purpose, check this box)

USES AND RECOMMENDATIONS

Manual of uses and recommendations. (For all users with access to personal data). All individuals who have access to personal data, whether through the computer system or any other automated means of access, are required to comply with what is established in the Security Document provided by the organization, and therefore, subject to the consequences that may arise in case of non-compliance. Non-compliance with security policies, practices, and procedures will be subject to disciplinary action and may result in civil and/or criminal action. This regulation must be disseminated to all employees so that all users are aware of the security measures they are subject to regarding Data Protection. Furthermore, it is recommended to provide a method that allows the receipt acknowledgment by users.

FUNCTIONS ASSIGNED TO THE DATA CONTROLLER

1. Develop and implement the security regulations that must be adopted by the treatments detailed in the corresponding ANNEX A of the security document, as well as the consequences that could be incurred in case of non-compliance. 2. Create and maintain the Register of Processing Activities. 3. Verify compliance with the duty of information, prior to the collection of data according to the means used for this purpose. 4. Obtain the consent of the data subjects, whenever necessary for the processing of their data. 5. Approve the designation and authorization of users who use the application in their daily work, assigning the allowed accesses to each user. 6. Approve a policy aimed at the proper training of staff with the following objectives: – knowledge of security measures that affect the functions of each user. – knowledge of the procedures to be followed by the data subject to exercise their rights. 7. Authorize the start-up of the exploitation of personal data through a new computer application or substantial improvements to the existing one. 8. Authorize the approval of a policy for the removal of computer media containing personal data outside the premises where the processing is located. 9. Approve the correction of the procedures established for the assignment of passwords to ensure their confidentiality. 10. Approve the procedures for making backup copies and data recovery. 11. Approve corrective measures resulting from the corresponding audit. 12. And, in general, any obligations arising from the applicable regulations.

FUNCTIONS ASSIGNED TO USERS

1. Maintain the necessary confidentiality regarding any type of personal data information known in the course of their work, even after the employment relationship with the organization has ended. 2. Keep all physical media and/or documents containing personal data information in a secure place when they are not in use, especially outside working hours. 3. The transfer of any media, list, or document containing personal data information owned by the organization outside its premises is prohibited without prior authorization from the Data Controller. In the event of the transfer or distribution of media and documents, the data must be encrypted or another mechanism must be used to prevent access or manipulation by third parties. 4. Temporary files or copies of documents are those that store personal data generated for a specific need or temporary and auxiliary work, provided that their existence does not exceed one month. These temporary files or document copies must be deleted once they are no longer needed for the purposes that prompted their creation, and while they are valid, they must comply with the assigned security measures. If, after a month, the user needs to continue using the information stored in the file, they must notify the Data Controller to take the appropriate measures. 5. Only authorized individuals on an access list may enter, modify, or delete data in the files or documents subject to protection. User access permissions to different files are granted by the Data Controller. In the event that any user needs access to personal data or documents to which they are not authorized for their work, they must inform the relevant Data Controller. 6. Report to the Data Controller, following the notification procedure, any security breaches or incidents they become aware of. 7. Change passwords at the request of the system. 8. Close or lock all sessions at the end of the working day or in case of temporary absence from the workplace to prevent unauthorized access. 9. Do not copy the information contained in files containing personal data to a personal computer, laptop, or any other media without the express authorization of the relevant Data Controller. 10. Store all files containing personal data in the folder indicated by the relevant Security Officer to facilitate the application of the corresponding security measures. 11. Keep all physical media containing information with personal data in a secure place when they are not in use, especially outside working hours. 12. Ensure that no printed documents containing protected data are left in the printer’s output tray. 13. Temporary files are those that store personal data generated for a specific need, provided that their existence does not exceed one month. Temporary files must be deleted once they are no longer needed for the purposes that prompted their creation and, while they are valid, they must be stored in the folder designated by the relevant Data Controller. If, after a month, the user needs to continue using the information stored in the file, they must notify the Data Controller to take the appropriate measures. 14. Email is considered by the organization as a fundamental tool for communication between the organization and other agents, whether public or private, involved in the activities of the organization. Therefore, email, regardless of the assigned address, is configured as a non-exclusive, collective, and freely accessible work tool, assigned to areas or positions rather than individuals. Its use for purposes unrelated to work duties is prohibited. The use of employees’ names or surnames along with the organization’s domain in email addresses does not mean that the organization has assigned a personal email. This is done solely for internal organizational purposes related to area and position assignment. Users are prohibited from sending sensitive personal data information without express authorization from the relevant Data Controller. In any case, this transmission can only be done if the necessary mechanisms are in place to prevent the information from being intelligible or manipulated by third parties. 15. Users may not, without the express authorization of the Data Controller, install any type of software or devices on central servers or on the personal computer used for their work.

Data Protection Advisors – Version: 1 Date: 27/07/2018 Functions for Users GDPR – Page 18

Security Document ARTURO CERDÁ VILAPLANA 13. Prohibited: a. Using identifiers and passwords of other users to access the system. b. Attempting to modify or access the access log enabled by the competent Controller. c. Bypassing the security measures established in the computer system by attempting to access data or programs for which access has not been granted. d. Sending mass emails (spam) using the corporate email address. e. And in general, using the corporate network, computer systems, and any means available to the user to violate the rights of third parties, those of the organization itself, or for acts that could be considered illegal. 14. Keep access keys to the organization, its offices, and cabinets, file cabinets, or other elements containing non-automated personal data information, properly guarded, and report any events that may have compromised their custody to the competent Data Controller. 15. Lock office doors at the end of the workday or when temporarily leaving the location to prevent unauthorized access. 16. Ensure that there are no printed documents containing protected data left in the printer’s output tray. 17. Establish procedures for copying or reproducing documents so that only authorized individuals can access copies of the documents. User access permissions to different files are granted by the competent Data Controller.