PRIVACY POLICY

Parknexa Sh.P.K

Latest Updated: June 1, 2025

1. INTRODUCTION

Parknexa Sh.P.K is responsible for ensuring that you have the opportunity to read this information regarding personal data processing. In the event of questions in relation to joint controllership or this Privacy Policy, please feel free to contact Parknexa Sh.P.K via the contact details listed in section 10 below.

In this Privacy Policy, we explain which categories of personal data Parknexa Sh.P.K collects, why Parknexa Sh.P.K collects such data, and what Parknexa Sh.P.K uses the personal data for in connection with the Services, Parknexa’s mobile application (the “Application”) or Parknexa’s website (the “Website”). This is done in order for you to be able to exercise your rights.

Data Processing Models: Parknexa Sh.P.K operates under two distinct service models with different data processing practices:

Product Technology Services: Parknexa cooperates with parking garages to provide automation and digitalization of parking systems, where data is stored and processed in Parknexa’s cloud infrastructure to enable full platform functionality.
Software-as-a-Service (SaaS): For municipalities and government law enforcement agencies, Parknexa operates as a SaaS provider, acting as a data processor and does not own or independently store customer personal data beyond what is necessary for service provision. Data is processed solely for the purpose of providing parking management services and is not used for independent marketing or commercial purposes.

Parknexa Sh.P.K processes personal data in accordance with applicable data protection laws, including but not limited to: - Albanian Law on Personal Data Protection (Law No. 9887/2008, as amended) - Albanian Law on the Right to Information (Law No. 120/2016, as amended) - Albanian Law on Electronic Commerce (Law No. 10128/2009, as amended) - Albanian Civil Code (Law No. 7850/1994, as amended) - Albanian Consumer Protection Law (Law No. 9902/2008, as amended) - European Union General Data Protection Regulation (GDPR) as applicable - Other relevant Albanian legislation and regulations

Personal data is all such information that may be used to identify a specific individual (a natural person).

Parknexa Sh.P.K provides the Services to both consumer customers (B2C) as well as business customers whose employees are users of the Services (B2B). This Privacy Policy applies to both types of customers.

2. SOURCES OF PERSONAL DATA

2.1 Personal Data Collected from You

The personal data that may be processed consists primarily of such data that you, directly or indirectly, provide to Parknexa Sh.P.K. For example, Parknexa Sh.P.K collects your personal data when you: - Apply for registration of an account with Parknexa Sh.P.K (including mandatory email verification) - Use the Services, the Application and the Website - When you contact Parknexa Sh.P.K - When you purchase Credits for parking services - When you participate in customer surveys or feedback requests

Email Verification: All customers must verify their email address before accessing Services. This serves as a basic security measure and compliance requirement under Albanian electronic commerce regulations.

2.2 Personal Data Collected from Information Service Providers

We may collect personal data from information service providers in order to cross-check our customers register with public registers to ensure that we have correct information that is up-to-date, such as the correct vehicle registration number and vehicle model. This processing is based on our legitimate interest in providing accurate services and complying with Albanian vehicle registration requirements.

2.3 Personal Data Collected from Public and Private Operators

We may collect personal information from public and private operators of car parks such as municipalities, airports, hospitals and universities who provide us with the details of your parking transactions when you have opted for our service so that we can process your parking transactions accordingly. This information consists of your license plate number, to the extent required for the parking space, the parking space, the parking fee and the start and end time of your parking session.

Data Processing Distinction: - Product Technology Services: When providing cloud-based automation services to parking garages, we act as a data controller and store necessary data in our cloud infrastructure to provide full service functionality. - SaaS Processing: When acting as a SaaS provider for municipalities and law enforcement agencies, we process personal data solely as instructed by these entities and in accordance with Albanian public administration data protection requirements.

2.4 Personal Data Collected from Parking Control Bodies

We may collect personal information from parking control bodies such as municipalities, private parking operators and their enforcement partners for the purposes of parking enforcement in accordance with applicable Albanian parking regulations and law enforcement procedures.

2.5 Personal Data Collected from Operators of Parking Equipment

We may collect personal information from operators of parking equipment (e.g. parking meters) and license plate recognition systems (e.g. in multi-storey car parks) so that your parking process can be identified and registered. Where Automatic Number Plate Recognition (ANPR) technology is available, license plates will be scanned automatically.

2.6 Personal Data Collected from Partners of Automatic Payment

We may collect personal information from partners who allow the possibility of automatic payment, so that you can pay automatically after a parking transaction based on ANPR, radio-frequency identification (RFID) tag, Bluetooth, UHF tag or vehicle signal. We only receive this information if you have registered for this payment option either via our app or via our website or on site.

2.7 Personal Data Collected from Public and Private Sector

We may collect personal information from our public and private sector customers who use our service to make parking easier for their employees. If you, as an employee, are part of such an arrangement, we will receive your name or employee number, email address, telephone number and vehicle registration number from your employer, after which you can link your account to your employer’s account.

2.8 Personal Data Collected from Fleet Management Companies

We may collect personal information from fleet management companies (for business accounts only) who, after you or your employer have given your consent, provide us with vehicle status information. This information can be used to provide services such as the automatic stop function.

3. PURPOSES AND LEGAL GROUNDS FOR PROCESSING PERSONAL DATA

Parknexa Sh.P.K processes personal data for the following purposes and on the basis of the following legal grounds, in accordance with Albanian data protection legislation and applicable international standards:

3.1 Provision of Services

Legal Basis: Contract performance and legitimate interest Purpose: Parknexa Sh.P.K processes your personal data in order to provide the Services in accordance with our contractual obligations and Albanian commercial law. Data Categories: Name, email, phone number, vehicle registration, payment information, usage data Retention Period: For the duration of the contract plus 5 years for accounting purposes as required by Albanian law

3.2 Anti-Money Laundering and Fraud Prevention

Legal Basis: Legal obligation and legitimate interest Purpose: To comply with Albanian anti-money laundering regulations and prevent fraudulent activities Data Categories: Transaction data, payment information, usage patterns, device information Processing Activities: - Automated transaction monitoring for unusual patterns - Regular data integrity checks - Suspicious activity detection and reporting to Albanian authorities - Customer verification procedures Retention Period: 5 years from the end of the business relationship as required by Albanian AML law

3.3 Customer Communication and Support

Legal Basis: Contract performance and legitimate interest Purpose: To communicate with you regarding the Services and provide customer support Data Categories: Contact information, support ticket data, communication history Retention Period: 3 years from last contact

Marketing Restrictions by Service Model: - Product Technology Services: Customer data may be used for service-related communications and with appropriate consent for marketing purposes. - SaaS Model: Parknexa Sh.P.K does not use customer data for independent marketing purposes when acting as a SaaS provider for municipalities and law enforcement agencies.

3.4 Conducting Surveys

Legal Basis: Legitimate interest and consent Purpose: To conduct surveys regarding Parknexa, the Application and the Services for service improvement Data Categories: Survey responses, feedback, contact information Retention Period: 2 years from survey completion

3.5 Follow-up and Evaluation

Legal Basis: Legitimate interest Purpose: To create reports and statistics for service evaluation and improvement Data Categories: Usage statistics, performance metrics (anonymized where possible) Retention Period: 3 years for statistical purposes

3.6 Handling Requests and Customer Service Matters

Legal Basis: Contract performance and legitimate interest Purpose: To handle customer requests and provide support services Data Categories: Support requests, communication records, resolution data Retention Period: 3 years from case closure

3.7 Recording of Phone Calls

Legal Basis: Legitimate interest and consent Purpose: Quality assurance, staff training, and security purposes Data Categories: Call recordings, call metadata Retention Period: 1 year from call date Your Rights: You may request not to be recorded and use alternative communication methods

3.8 Establishment, Exercise and Defence of Legal Claims

Legal Basis: Legitimate interest Purpose: To establish, exercise and defend legal claims in accordance with Albanian civil and commercial law Data Categories: All relevant personal data for legal proceedings Retention Period: Until legal proceedings are concluded plus applicable statute of limitations

3.9 Maintenance, Protection and Development of the Services

Legal Basis: Legitimate interest Purpose: To maintain, protect and develop the Services, including security monitoring Data Categories: System logs, usage data, technical data Retention Period: 2 years for development purposes, 1 year for security logs

4. SECURITY AND DATA PROTECTION

Parknexa Sh.P.K takes the matter of security of your personal data very seriously. We implement appropriate technical and organisational measures to protect your personal data from unauthorised access, alteration or destruction, in accordance with Albanian data protection standards and international best practices.

4.1 Technical Security Measures

Encryption: All personal data is encrypted both in transit and at rest
Access Controls: Multi-factor authentication and role-based access controls
Firewall Protection: Advanced firewall systems protect against unauthorized access
Regular Security Audits: Quarterly security assessments and penetration testing
Data Backup: Secure backup systems with regular recovery testing

4.2 Organizational Security Measures

Staff Training: Regular data protection training for all employees
Data Protection Officer: Appointed DPO oversees compliance (contact: dpo@parknexa.com)
Privacy by Design: Data protection principles integrated into all system development
Incident Response: Documented procedures for data breach response
Third-Party Audits: Annual external security audits

4.3 Data Breach Notification

In the event of a data breach that may pose a risk to your rights and freedoms: - Authority Notification: We will notify the Albanian Data Protection Authority within 72 hours - Individual Notification: We will notify affected individuals without undue delay if high risk is identified - Breach Register: We maintain a register of all data breaches for regulatory compliance

5. RECIPIENTS OF PERSONAL DATA

Parknexa Sh.P.K shares personal data collected with the following recipients for the following purposes, in compliance with Albanian data protection laws:

5.1 Parking Operators

Purpose: Service provision and parking enforcement Data Shared: License plate numbers, parking transactions, payment status Legal Basis: Contract performance and legitimate interest Safeguards: Contractual data protection obligations

5.2 Payment Receivers and Payment Service Providers

Purpose: Payment processing and financial services Data Shared: Payment card details (through PCI-certified providers only), transaction amounts Legal Basis: Contract performance Safeguards: PCI DSS compliance, data processing agreements

Note: Parknexa Sh.P.K does not handle card details directly. All payment card information is processed by PCI-certified service providers.

5.3 Service Providers

Purpose: IT services, customer support, and technical maintenance Data Shared: Only data necessary for specific service provision Legal Basis: Contract performance and legitimate interest Safeguards: Data processing agreements, limited access, regular audits

5.4 Government Authorities and Law Enforcement

Purpose: Compliance with legal obligations and law enforcement assistance Data Shared: As required by Albanian law or court orders Legal Basis: Legal obligation Safeguards: Verification of legal authority, minimal data sharing principle

5.5 Fiscal Authorities and Licensed Partners

Purpose: Tax compliance and fiscal reporting Data Shared: Transaction data Recipients: Fature.al and other licensed fiscal service providers Legal Basis: Legal obligation under Albanian fiscal law Safeguards: Licensed partner agreements, encrypted data transmission

6. DATA STORAGE AND TRANSFERS

6.1 Storage Location

Personal data is stored on secure servers located within the European Union, with primary data centers in compliance with Albanian data protection requirements. All data storage facilities meet international security standards.

6.2 International Transfers

We may transfer personal data to third parties outside the European Union/European Economic Area (“EU/EEA”) only in the following circumstances: - Service Providers: When necessary for service provision with adequate safeguards - Legal Requirements: When required by Albanian law or international legal cooperation - Safeguards Applied: EU Commission Standard Contractual Clauses, adequacy decisions, or other appropriate safeguards

You have the right to request information regarding transfers outside the EU/EEA and obtain a copy of the safeguards we have implemented.

6.3 Data Retention

General Retention Policy: Personal data is retained only for as long as necessary for the purposes for which it was collected, subject to Albanian legal requirements:

Account Data: Duration of contract plus 5 years
Financial Data: 5 years from transaction (Albanian accounting law)
Support Data: 3 years from last contact
AML Data: 5 years from end of business relationship
Marketing Data: 18 months from last interaction (if consent given)
Legal Claims: Until statute of limitations expires

7. COOKIES AND TRACKING TECHNOLOGIES

Parknexa Sh.P.K uses cookies and similar tracking technologies to optimize the Services, perform statistical evaluations, conduct analyses, and improve user experience, in accordance with Albanian legislation on electronic communications.

7.1 Types of Cookies Used

Essential Cookies: Required for basic website functionality Performance Cookies: Help us analyze website usage and improve performance Functional Cookies: Remember your preferences and settings Security Cookies: Protect against fraud and unauthorized access

You can manage your cookie preferences through: - Browser Settings: Configure your browser to block or delete cookies - Cookie Consent Tool: Use our cookie preference center - Opt-Out: Contact us to opt out of non-essential cookies

For detailed information, see our Cookie Policy available on the Website.

8. YOUR RIGHTS UNDER ALBANIAN LAW

Pursuant to Albanian data protection legislation and applicable international standards, you have the following rights regarding your personal data:

8.1 Right of Access

What it means: You can request confirmation of whether we process your personal data and access such data How to exercise: Contact our customer service or use your account portal Response time: 30 days from request

8.2 Right to Rectification

What it means: You can request correction of inaccurate or incomplete personal data How to exercise: Update information in your account or contact customer service Response time: 30 days from request

8.3 Right to Erasure (“Right to be Forgotten”)

What it means: You can request deletion of your personal data in certain circumstances Limitations: We may retain data required by Albanian law or for legitimate interests How to exercise: Contact customer service with specific request Response time: 30 days from request

8.4 Right to Restrict Processing

What it means: You can request limitation of processing in certain circumstances How to exercise: Contact customer service with specific request Response time: 30 days from request

8.5 Right to Data Portability

What it means: You can receive your personal data in a structured, commonly used format Scope: Data you provided and that we process based on consent or contract How to exercise: Request through customer service or account portal Response time: 30 days from request

8.6 Right to Object

What it means: You can object to processing based on legitimate interests Scope: Marketing, profiling, and certain legitimate interest processing How to exercise: Contact customer service or use opt-out mechanisms Response time: Immediate for marketing; 30 days for other objections

What it means: You can withdraw consent for processing based on consent Effect: Does not affect lawfulness of processing before withdrawal How to exercise: Contact customer service or use account settings Response time: Immediate

8.8 Right to Lodge a Complaint

What it means: You can complain to data protection authorities if you believe your rights are violated Authority: Albanian Data Protection Authority (Autoriteti për Mbrojtjen e të Dhënave Personale) Contact: info@idp.al, +355 4 2274006 Alternative: You may also contact other competent Albanian authorities

9. AMENDMENTS TO THE PRIVACY POLICY

Parknexa Sh.P.K may amend this Privacy Policy from time to time in accordance with Albanian legal requirements and to reflect changes in our data processing practices.

9.1 Notification of Changes

Material Changes: We will notify you at least 60 days before material changes take effect Methods: Email notification, App notification, Website notice Minor Changes: Administrative updates will be notified 30 days in advance

9.2 Your Options

Acceptance: Continued use of Services after changes take effect constitutes acceptance Objection: You may object to material changes and terminate your account Refunds: If you terminate due to privacy policy changes, unused Credits will be refunded

9.3 Version Control

We maintain version control of this Privacy Policy: - Current Version: 2025.06.02 - Previous Versions: Available upon request - Regular Review: Annual review and updates as needed

10. CONTACT INFORMATION

10.1 General Contact

For questions or comments regarding this Privacy Policy, please contact Parknexa Sh.P.K:

Company: Parknexa Sh.P.K
Address: Rruga e Kavajës, Kompleksi Square 21, Tiranë, Albania
Email: info@parknexa.com
Phone: +355692432428
Website: www.parknexa.com

10.2 Data Protection Officer

For data protection specific inquiries:

Data Protection Officer: Parknexa DPO
Email: dpo@parknexa.com
Phone: +355692432428
Address: Rruga e Kavajës, Kompleksi Square 21, Tiranë, Albania

10.3 Rights Requests

When contacting us to exercise your rights: - Identity Verification: State your full name and provide contact details - Specific Request: Clearly describe which right you want to exercise - Supporting Information: Provide any relevant details to help us process your request - Response Time: We will respond within 30 days or explain any delays

10.4 Complaints and Concerns

First Step: Contact us directly to resolve any concerns Data Protection Authority: Albanian Data Protection Authority (Autoriteti për Mbrojtjen e të Dhënave Personale) - Address: Bulevardi “Dëshmorët e Kombit”, Nr. 8, Tiranë, Albania - Email: info@idp.al - Phone: +355 4 2274006

11. REGULATORY COMPLIANCE

11.1 Albanian Law Compliance

This Privacy Policy complies with: - Albanian Law on Personal Data Protection (Law No. 9887/2008, as amended) - Albanian Law on Electronic Commerce (Law No. 10128/2009, as amended) - Albanian Consumer Protection Law (Law No. 9902/2008, as amended) - Other applicable Albanian legislation

11.2 International Standards

We also adhere to: - European Union GDPR principles - ISO 27001 security standards - Industry best practices for data protection

11.3 Regular Compliance Reviews

Annual Reviews: Comprehensive privacy policy and practice reviews
Regulatory Updates: Monitoring of Albanian law changes
External Audits: Independent compliance assessments
Staff Training: Regular privacy training for all personnel

This Privacy Policy is governed by Albanian law and is subject to the jurisdiction of Albanian courts.

Document Version: 2025.06.02
Last Updated: June 1, 2025
Next Review Date: June 1, 2026
Compliance Review Date: June 1, 2025
DPO Approval: June 1, 2025