Data Protection Policy

1- Commitment to Data Protection and Privacy

2- Definitions

3- Entity Responsible for Treatment

4- Contacts for the Data Controller

5- Collection and Processing of Personal Data

6 - Categories of Personal Data Processed and Holders

7 - Legal Principles

8 - Legitimacy Grounds

9 - Purpose of Processing

10 - Information leaflets on Data Processing

11 - Deadlines for Data Retention

12 - Use of Cookies

13 - Communication of Data to Other Entities

14 - Recipients of Data

15 - International Data Transfers

16 - Security Measures

17 - Exercise of the Rights of Data Subjects

18 - Complaints or Suggestions

19 - Incident Reporting

20- Amendment of the Data Protection Policy

21- Express Consent and Acceptance

22- Special Data Protection Policies

23- Data Protection Officer

24- Versions of the Data Protection Policy

Commitment to Data Protection and Privacy

Direct Hit complies with all applicable EU and national legal regulations in the field of data protection, privacy, and information security.

Direct Hit has implemented a Personal Data Protection System and an Information Security System in order to ensure regulatory compliance and demonstration or evidence of institutional responsibility for data protection and information security, implementing all necessary technical and organizational measures deemed appropriate, both to comply with the general legal regime of the Data Protection Law in force, and to comply with the special legal regime of the General Data Protection Regulation, applicable since May 25, 2018.

For any clarification or additional information or to exercise rights in this regard, please contact the Data Protection Officer of Direct Hit at [email protected].

Definitions

"Personal Data"

"Personal data" means information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier. Personal identifiers are, for example, a name, an identification number, location data, electronic identifiers, or to one or more specific elements of that natural person's physical, physiological, genetic, mental, economic, cultural or social identity.

"Processing of personal data"

"Processing" means an operation or set of operations which is performed upon personal data or sets of personal data, by automated or non-automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, comparison or interconnection, restriction, erasure or destruction.

"Cookies"

"Cookies" are small text files containing information considered as relevant that the devices used for access (computers, cell phones or portable mobile devices) load, through the internet browser, when an online site is visited by the Customer or User.

Party Responsible for Treatment

Direct Hit - Corporate Service Rendering, Ltd, with the Portuguese Tax ID 504 526 146, hereinafter referred to as Direct Hit, is the entity responsible for the online sites, computerized systems or applications, hereinafter referred to as channels or applications, through which the Users, Service Recipients or Customers have remote access to the Direct Hit services that are presented or provided at any time through the same, and shall be the entity considered as controller of the personal data.

The use of the channels, systems or applications by any User, Service Recipient or Customer may involve operations of personal data processing, whose protection, privacy and security is ensured by Direct Hit as the entity responsible for the respective processing, in accordance with the terms of this Data Protection Policy.

Contact Details for the Data Controller

For the purposes of contacting the Direct Hit Data Protection Officer, please send an e-mail to [email protected] or to each of the specific addresses identified on the online sites, describing the subject of your request and providing an e-mail address, a telephone contact address, or a mailing address.

For any other purpose, the following general contact details of Direct Hit may be used:

- Postal Address: Rua Sousa Lopes, Nº 65, 5º Esq., 1600-307 Lisbon, Portugal;

- Postal Address: Rua Sousa Lopes, Nº 65, 5º Esq., 1600-307 Lisboa, Portugal;

- General E-mail: [email protected] ;

- General Telephone: + 351 213 243 750;

- General Fax: + 351 213 243 759;

- Website: www.directhit.eu .

Collection and Processing of Personal Data

Direct Hit shall process personal data strictly necessary for the provision of information and operation of its channels, according to the uses made by the Users, Service Recipients or Customers, whether those provided for purposes of registration of requests or acquisition of information, or those provided for purposes of subscription to those channels, or those that result from the use of the services provided by Direct Hit through those channels, such as the accesses, consultations, instructions, transactions and other records related to their use.

In particular, the use or activation of certain features of the Channels may involve the processing of various direct or indirect personal identifiers, such as name, home address, contacts, device addresses or geographic location, where there is the express consent of the User, Service Recipient or Customer, where this is necessary for management of the contractual relationship or pursuit of legitimate interests or, finally, for compliance with legal obligations.

In all cases, Users, Service Recipients or Customers will always be informed of the need to access such data for using the functionalities of the channels concerned.

The personal data collected by Direct Hit shall be processed by computer, in certain cases on an automated basis, including file processing or profiling, and in the context of the management of the pre-contractual, contractual or post-contractual relationship with the Users, Service Recipients or Customers, in accordance with the national and EU rules in force.

Categories of Personal Data Processed and Holders

The categories or types of personal data that are subject to processing are generally as follows:

- identification data;

- contact data;

- professional data;

- billing data;

- traffic and access control data.

Biometric data may also be processed in the different establishments of the Person Responsible for Treatment, processed through video surveillance systems or other biometric systems that are installed.

A detailed list of personal data categories and data subject categories can be found in the Data Processing Information Sheets.

Legal Principles

All data processing operations shall comply with the fundamental legal principles in the field of data protection and privacy, particularly with regard to movement, lawfulness, fairness, transparency, purpose, minimization, preservation, accuracy, integrity and confidentiality, and Direct Hit shall be available to demonstrate its responsibility towards the data subject or any third party having a legitimate interest in this matter.

Legitimacy Grounds

All data processing operations carried out by Direct Hit are based on a legitimate ground, namely that the data subject has given his/her consent to the processing of his/her personal data for one or more particular purposes, or that the processing is considered necessary for the performance of a contract to which the data subject is party, or for pre-contractual measures at the data subject's request, processing is necessary for compliance with a legal obligation to which the controller is subject, or in the public interest, or processing is regarded as necessary for the purposes of exercising legitimate interests pursued by Direct Hit or by a third party.

Purpose of the processing

All personal data processed within Direct Hit channels are intended solely for provision of information to users, management of personal information of the Service Recipients deemed necessary for the purpose of relationship management or communication, as well as provision of services to customers, and, in general, management of the pre-contractual, contractual or post-contractual relationship with users, Service Recipients or customers.

The personal data collected may also and eventually be subject to processing for statistical purposes, for actions to disseminate information or promotional and communication actions, namely to promote actions to disseminate new features or new services, through direct communication, whether by correspondence, email, messages or telephone calls or any other electronic communications service.

As prior information and collection of express consent for these latter purposes is always ensured, Users, Service Recipients or Customers may, at any time, exercise their right to withdraw consent or their right to object to the use of their personal data for other purposes beyond the management of the relationship with the Controller, including for purposes of pursuing legitimate interests, sending information communications or being included in mailing lists or information services, by sending a written request addressed to the Data Protection Office of Direct Hit in accordance with the procedures set out below.

Data Processing Information Sheet

In accordance with the principle of fairness and transparency and to ensure the fulfilment of the information obligation, Direct Hit shall provide directly or make publicly available to all the holders of personal data, depending on the way of collection of their personal data, information sheets on the data processing operations performed, which sheets shall be accessible for consultation at any business location.

Data Retention Periods

Personal data shall be kept only for the period of time necessary for the purposes for which they were collected or for which they are further processed, in compliance with all applicable legal provisions regarding storage and with the specific storage period specified in each of the Data Processing Information Sheets.

Use of Cookies

Direct Hit may use, as appropriate, two broad categories of cookies: cookies in the context of online sites, and cookies in the context of direct electronic communication channels, the disabling of which by users or customers is guaranteed in all cases.

Direct Hit uses cookies on its online sites to improve the performance and browsing experience of Users and Customers by increasing responsiveness and efficiency on the one hand, and by eliminating the need to repeatedly enter the same information on the other hand.

The use of cookies helps online sites recognize Users' and Customers' devices the next time he or she visits them, and in some cases is also essential to their operation.

The cookies used by Direct Hit, on all its channels, do not collect personal information that can identify Users or Customers, but only store generic information, such as the way or geographic location of access and the way they use the channels, among others. Cookies only retain information related to the preferences of Users and Customers, and no personal identifiers are recorded.

Users, Service Recipients and Customers may, at any time, through the computer application they use to browse the internet ("browser"), decide to be notified about the receipt of "cookies", as well as block their entry into their system.

With regard to the type of intended purposes, Direct Hit may, where appropriate, use three different types of cookies, according to the following specifications:

(i) essential cookies - some cookies are essential to access specific areas of the online channels, allowing navigation and use of their applications, such as access to secure areas of the sites, through user registration - without these cookies, services that require it cannot be provided;

(ii) Functionality cookies - Functionality cookies allow us to remember your preferences regarding your navigation of the online sites, so that you do not need to reconfigure and personalize them each time you visit;

(iii) analytical cookies - these cookies are used to analyze how users use online sites, enabling us to highlight items or services that may be of interest to users, monitoring site performance, as well as learning which pages are most popular, which method of linking pages is most effective, or determining why some pages are receiving error messages - these cookies are used only for statistical creation and analysis purposes and never collect personal information.

For these purposes, Direct Hit can provide a high quality experience to Users, Service Recipients or Customers by personalizing information and offers and identifying or correcting any problems that may arise from their use.

With regard to the type of validity, there are two types of cookies:

(i) permanent cookies - these are cookies that are stored in the devices used to access the channels (computers, cell phones, etc.), at the level of the computer application used to browse the internet ("browser"), and are used whenever Users or Customers visit any channel again - in general, they are used to direct the browsing according to the User's or Customer's interests, allowing Direct Hit to provide a more personalized service;

(ii) session cookies - these are temporary cookies that are generated and are only available until the session is closed, since the next time the Customer/User accesses his/her browser the cookies will no longer be stored - the information obtained allows managing sessions, identifying problems and providing a better browsing experience.

Users, Service Recipients or Customers may disable some or all cookies at any time by following the instructions available in each browser and may lose access to some site functionality.

Direct Hit, within the scope of direct electronic communication channels, may also use cookies in the opening of the different electronic communications sent, such as newsletters and e-mail, for statistical purposes - allowing to know if such communications are opened and to check the clicks through links or advertisements within such communications.

Also in this category of cookies, Users, Service Recipients or Clients always have the possibility of deactivating the sending of electronic communications through the specific option in the footer of the same.

Communication of Data to Other Entities

The provision of information or services by Direct Hit to its Users, Service Recipients or Customers through the channels may eventually involve reliance on the services of subcontracted third parties, including entities based outside the European Union, for the provision of certain services, which may involve access by these entities to such personal data.

In these circumstances and where necessary, Direct Hit shall use only those third parties that provide sufficient guarantees that they will implement appropriate technical and organisational measures in such a way that the processing will meet the requirements of the applicable standards, such guarantees being formalised in an agreement signed between Direct Hit and each third party.

Data Recipients

Except for compliance with legal obligations, performance of contracts, or pursuit of legitimate interests, in no case shall personal data of Users, Service Recipients or Customers be disclosed to third parties other than subcontractors or lawful recipients, nor shall any other transfer of personal data to third parties be permitted.

International Data Transfers

Any transfer of personal data to a third country or international organization will only take place in the framework of the fulfillment of legal obligations or to ensure compliance with EU and national legal standards applicable in this area.

Security Measures

Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of the processing, as well as the risks, varying in likelihood and severity, to Users, Service Recipients, or Customers, Direct Hit and any of its sub-contractors shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

To this end, various security measures are adopted in order to protect personal data against disclosure, loss, misuse, alteration, unauthorised processing or access, as well as any other form of unlawful processing.

It is the exclusive responsibility of Users, Service Recipients or Clients to keep access codes secret and not share them with third parties. Furthermore, in the particular case of the computer applications used to access the channels, they must keep and maintain the access devices in a safe condition and follow the security practices recommended by the manufacturers and/or operators, namely as regards the installation and updating of the necessary security applications, namely, among others, antivirus applications.

In case it is necessary to subcontract services to third parties that may have access to personal data of Users, Service Recipients or Customers, Direct Hit's subcontractors shall be required to adopt security measures and protocols at the organizational level and technical measures necessary to protect the confidentiality and security of personal data, as well as to prevent unauthorized access, loss or destruction of personal data.

Exercise of Rights by the Holders of Personal Data

Users, Service Recipients or Direct Hit Customers may, as holders of personal data, at any time exercise their rights of data protection and privacy, in particular the rights of access, rectification, erasure, portability, limitation or opposition to the processing, in accordance with the terms and limitations provided for in the applicable rules.

Any request for the exercise of data protection and privacy rights should be addressed in writing by the data subject to the Data Protection Officer, in accordance with the procedure and contact details described below.

Complaints or Suggestions

Users, Service Recipients or Customers have the right to lodge complaints, either by registering the complaint in the Complaints Book or by filing a complaint with the regulatory authorities - in the latter case, they may file a petition or complaint directly with the National Commission for Data Protection through the contacts available at www.cnpd.pt .

Users, Service Recipients or Customers may also make suggestions by sending an email to the Data Protection Officer at [email protected] .

Incident Reporting

Direct Hit has implemented an incident management system in the field of data protection, privacy and information security.

In case any User, Service Recipient or Customer wishes to report any personal data breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed, please contact the Data Protection Officer or use the general contact details of Direct Hit.

Changes to the Data Protection Policy

In order to ensure updating, development and continuous improvement, Direct Hit may amend this Data Protection Policy at any time as deemed appropriate or necessary, and shall publish it in the different channels to ensure transparency and information to Users, Service Recipients and Customers.

Express Consent and Acceptance

The terms of the Data Protection Policy are complementary to the terms and provisions, regarding personal data, provided in the Specific Terms of Use of each of Direct Hit's channels.

The free, specific, and informed provision of personal data by the respective holder implies knowledge and acceptance of the terms of this Policy, and by using the channels or providing personal data, Users, Service Recipients, and Customers shall be deemed to expressly consent to the processing of personal data in accordance with the rules set forth in each of the channels or applicable collection instruments.

Express Consent and Acceptance

The terms of the Data Protection Policy are complementary to the terms and provisions, regarding personal data, provided in the Specific Terms of Use of each of Direct Hit's channels.

The free, specific and informed provision of personal data by the respective holder implies knowledge and acceptance of the conditions contained in this Policy, it being considered that, by using the channels or by providing their personal data, the Users, Service Recipients and Customers are expressly authorizing their processing, in accordance with the rules defined in each of the applicable collection channels or instruments.

Special Data Protection Policies

With a commitment to transparency and information, and to ensure the appropriateness of the Data Protection Policy to the different data processing operations performed and especially to the different categories of data subjects, Direct Hit may develop Data Protection Policies of a special nature, such as, for example

- the Data Protection Policy in the Employment Context;

- the Application Management Data Protection Policy; and

- the Supplier Employee Data Protection Policy.

These special policies are made available directly to the respective categories of data subjects and are available for consultation upon request to the Data Protection Officer.

Data Protection Officer

For the exercise of any kind of data protection and privacy rights or for any matter relating to data protection, privacy and information security issues, Users, Service Recipients and Customers interacting with Direct Hit may contact the Data Protection Officer by e-mail at [email protected] , describing the subject of the request and providing an e-mail address, a telephone contact address, or a mailing address for response.

Versions of the Data Protection Policy

Version of this Policy: Version 3.0.

Date: 20220304 .

To view previous versions of the Data Protection Policy, please send your request by e-mail to [email protected] .