Privacy Policy

The data controller of your personal data is: Rovexaris d.o.o. Ilica 256, 10000 Zagreb, Croatia OIB: 47293816058 Email: privacy@rovexaris.com Phone: +385 1 4820 390 For any questions regarding the processing of your personal data, you can contact our Data Protection Officer at the email address listed above.

We collect the following categories of personal data: • Identification data: name, surname, date of birth, personal identification number • Contact data: email address, phone number, postal address • Financial data: bank account details, transaction history (for investment purposes) • Technical data: IP address, browser type, operating system, cookie data • Usage data: information about how you use our website and services • Communication data: content of messages you send us via the contact form or email

We process your personal data based on the following legal grounds under the General Data Protection Regulation (GDPR): • Performance of a contract (Article 6(1)(b) GDPR) — for providing our crowdfunding services • Legal obligation (Article 6(1)(c) GDPR) — for meeting regulatory requirements, including anti-money laundering • Legitimate interest (Article 6(1)(f) GDPR) — for improving our services and platform security • Consent (Article 6(1)(a) GDPR) — for marketing communications and analytics cookies

We use your personal data for: • Registration and management of your user account • Processing investments and financial transactions • Communication about project status and your investments • Meeting legal and regulatory obligations (KYC/AML checks) • Analyzing and improving website functionality • Sending marketing notifications (with your explicit consent) • Responding to your inquiries submitted via the contact form

We may share your personal data with: • Payment processing service providers — for executing financial transactions • Regulatory authorities — when legally required (e.g., HANFA, Tax Administration) • IT service providers — for hosting, security, and platform maintenance • Legal advisors — in case of legal proceedings We do not sell your personal data to third parties nor use it for purposes not specified in this Privacy Policy.

Under the GDPR, you have the following rights: • Right of access — you can request a copy of your personal data • Right to rectification — you can request correction of inaccurate data • Right to erasure — you can request deletion of your data ('right to be forgotten') • Right to restriction — you can restrict how we use your data • Right to portability — you can request transfer of data to another controller • Right to object — you can object to the processing of your data • Right to withdraw consent — you can withdraw consent at any time To exercise these rights, contact us at privacy@rovexaris.com. We will respond to your request within 30 days.

We retain your personal data for as long as necessary to fulfill the purposes for which it was collected: • User account data: until account deletion plus 5 years (legal obligation) • Financial data: 11 years (in accordance with the Anti-Money Laundering Act) • Communication data: 3 years from last communication • Analytics data: 26 months • Cookies: according to category (detailed in Cookie Policy)

We take appropriate technical and organizational measures to protect your personal data, including: • SSL/TLS encryption for all data in transit • Encryption of sensitive data at rest • Regular security audits and penetration testing • Access control based on the principle of least privilege • Regular employee training on data protection

If you believe that the processing of your personal data violates data protection regulations, you have the right to file a complaint with the supervisory authority: Personal Data Protection Agency (AZOP) Selska cesta 136, 10000 Zagreb Phone: +385 1 4609 000 Email: azop@azop.hr Web: www.azop.hr

We reserve the right to modify this Privacy Policy at any time. All changes take effect upon publication on this page. We recommend reviewing this Policy regularly. For significant changes, we will notify you by email or through a prominent notice on the website.