Privacy Policy of Draftrust.com

1. Data Controller

The data controller for the personal data collected through Draftrust.com is:

DEUDAFIX REPARADORA LEGAL GROUP, S.L. Av. de la Vega, 15, 28108 Alcobendas, Madrid, Spain Data protection contact email: dataprotectionofficer@deudafix.es

DEUDAFIX processes personal data in accordance with the General Data Protection Regulation — GDPR —, Spanish Organic Law 3/2018 on Personal Data Protection and the guarantee of digital rights — LOPDGDD —, and any other applicable regulations.

2. Purpose of this Policy

This Privacy Policy informs users of Draftrust.com about how DEUDAFIX collects, uses, stores, protects and, where applicable, discloses their personal data, ensuring lawful, fair, transparent, secure processing limited to the relevant legitimate purposes.

3. Personal Data That May Be Processed

Depending on the user’s relationship with DEUDAFIX and their use of the website, the following categories of data may be processed:

• Identification data: name, surname, DNI/NIE or equivalent identification document. • Contact data: postal address, email address, landline or mobile phone number. • Professional or commercial data: position, company, professional activity or information linked to a service request. • Economic, financial, asset-related or solvency data, where necessary for the provision of legal, financial or document analysis services. • Data arising from electronic communications, forms, queries, requests or interactions with the website. • Technical browsing, security and website usage control data. • Where applicable, CV data if the user submits information for recruitment processes.

Where the service requires it, DEUDAFIX may process sensitive data or data linked to legal, administrative, financial or asset-related proceedings, always on the basis of a valid legal ground and with the safeguards required by applicable law.

4. Purposes of Processing

DEUDAFIX may process personal data for the following purposes:

1. Management of users, clients and potential clients, including preliminary analysis, contracting, service provision, case monitoring and representation before public or private entities where applicable.

2. Management of information requests, queries, complaints, claims or incidents submitted through the website, email, telephone or other enabled channels.

3. Provision of legal, document management, technological or operational support services linked to Draftrust.com and to the activities carried out by DEUDAFIX.

4. Management of commercial communications, newsletters, events or subscriptions, where the user has given consent or where there is a legitimate basis for doing so.

5. Management of job applications, where the user submits their CV or professional information to DEUDAFIX.

6. Website control, security and fraud prevention, including the detection of unauthorised access, misuse, technical manipulation or unlawful actions.

7. Compliance with legal, contractual, tax, administrative, regulatory and claim-defence obligations.

5. Legal Basis for Processing

The processing of personal data may be based, depending on the case, on one or more of the following legal grounds:

• The data subject’s consent. • The performance of a contract or the application of pre-contractual measures. • Compliance with legal obligations applicable to DEUDAFIX. • DEUDAFIX’s legitimate interest, for example, to ensure website security, manage claims, carry out quality controls or improve its services. • The defence of legitimate rights and interests against possible claims.

6. Data Retention

Personal data will be retained for as long as necessary to fulfil the purposes for which it was collected.

Thereafter, the data may remain blocked for the legally required periods in order to address potential legal, contractual, tax, administrative or regulatory liabilities.

In particular: • Data linked to clients, case files, calls, advisory services or claims may be retained for the periods necessary to manage the service and defend against possible claims. • Call recordings, where they exist, may be retained for the period necessary for evidentiary, quality, compliance or legitimate interest purposes. • Candidate data will be retained for as long as necessary to manage the recruitment process, unless the data subject authorises a longer retention period. • Employee, supplier or collaborator data will be retained in accordance with applicable legal and contractual obligations.

The user may request additional information on specific retention periods by writing to: dataprotectionofficer@deudafix.es

7. Disclosure of Data to Third Parties

DEUDAFIX will not disclose personal data to third parties unless this is necessary to fulfil the stated purposes, there is a legal obligation to do so, or the user has given consent.

Where applicable, data may be disclosed to: • Group companies or entities linked to DEUDAFIX (Unifye Iberia, Novomoney, Simply Legal, etc.). • Technology, administrative, tax, financial, audit, marketing, storage or IT support providers. • Credit report, solvency or service providers necessary for the correct provision of the service. • Courts, tribunals, public administrations, or other competent authorities where there is a legal obligation.

Providers with access to personal data shall act as data processors and shall be contractually required to apply appropriate technical and organisational measures.

8. International Transfers

DEUDAFIX does not carry out international transfers of personal data outside the European Union, unless this is necessary in a specific case and the legally required GDPR safeguards are applied.

9. Data Security

DEUDAFIX applies technical and organisational measures aimed at protecting personal data against loss, alteration, unauthorised access, improper processing or accidental destruction (access controls, backups, encryption, etc.).

10. Rights of Data Subjects

The user may exercise the following rights: Access, Rectification, Erasure, Restriction of processing, Objection, Portability, and Withdrawal of consent.

To exercise these rights, the data subject must send a request with an ID copy to: DEUDAFIX REPARADORA LEGAL GROUP, S.L. Av. de la Vega, 15, 28108 Alcobendas, Madrid, Spain Or by email to: dataprotectionofficer@deudafix.es

DEUDAFIX will respond within one month (extendable to three in complex cases). You may also lodge a complaint with the Spanish Data Protection Agency (www.aepd.es).

11. Third-Party Data Provided by the User

If you provide data belonging to third parties, you guarantee that you have informed them and have authorization to do so.

12. Accuracy and Updating of Data

The user guarantees that the data provided is true, accurate, complete and up to date.

13. Social Media

The user’s interaction with DEUDAFIX social media profiles involves the processing of data visible according to the privacy settings of each platform.

14. Governance and Internal Compliance

DEUDAFIX has an internal compliance structure aimed at ensuring the proper management of privacy and data protection (DPO, IT Managers, training teams, etc.).

15. Review and Update of this Policy

DEUDAFIX may amend this Privacy Policy to adapt it to legislative changes or updates to the services offered through Draftrust.com.