PRIVACY POLICY

Safirum AG takes the protection of personal data seriously. This Privacy Policy explains how we collect, process and protect personal data when you visit www.safirum.com (the "Website") or otherwise interact with us.

This Privacy Policy is based on the Swiss Federal Act on Data Protection (revFADP) and, where applicable, the EU General Data Protection Regulation (GDPR).

The controller responsible for the processing of personal data in connection with the Website is:

For data protection enquiries, please contact us at the e-mail address above.

Depending on how you use our Website and services, we may process the following categories of personal data:

• (a) Technical data: IP address, device and browser information, operating system, referring URL, date and time of access, pages viewed, language settings.
• (b) Contact data: name, e-mail address, telephone number, postal address and any other information you provide when contacting us or completing a form on the Website.
• (c) Communication data: content of e-mails, messages and other communications you send to us.
• (d) Business contact data: company name, role, country, and other information provided in the context of a (prospective) business relationship, including investor and partner enquiries.
• (e) Usage data: information about how you interact with our Website, collected through analytics tools (see section 6).

We do not knowingly collect personal data from children. The Website is not directed at children.

We process personal data for the following purposes:

• (a) Operating and securing the Website (legitimate interest / contractual necessity).
• (b) Responding to enquiries and managing communications with you (contractual necessity / legitimate interest).
• (c) Managing (prospective) business relationships, including investor outreach, partner onboarding and due diligence (contractual necessity / legitimate interest).
• (d) Complying with legal and regulatory obligations applicable to Safirum AG, including obligations under the Swiss AMLA, VQF rules and other applicable financial-market regulation (legal obligation).
• (e) Analysing and improving the Website (consent and/or legitimate interest, see section 6).
• (f) Marketing communications, where you have consented or where otherwise permitted by law (consent / legitimate interest).

Where we rely on consent, you may withdraw your consent at any time with effect for the future (see section 11).

A cookie is a small text file stored on your device when you visit a website. We use the following categories of cookies:

• (a) Strictly necessary cookies, required for the technical operation of the Website. These cannot be deactivated.
• (b) Analytics cookies, used to understand how visitors interact with the Website (see section 6). These are set only with your consent.

You can manage your cookie preferences at any time via the cookie banner on the Website and via your browser settings. Disabling cookies may affect the functionality of the Website.

We use web analytics services to understand how visitors use the Website and to improve its content and performance. These services collect information such as your IP address (typically anonymised or shortened), pages viewed, time spent on pages, referring URL, device and browser information.

We use the following analytics service(s):

• - Google Analytics, provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (and, for users outside the EEA, Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA).

We have configured Google Analytics to anonymise IP addresses before processing where technically feasible. Google may transfer data to the United States and other countries outside Switzerland and the EEA. Such transfers are safeguarded by appropriate measures (including EU Standard Contractual Clauses and the EU-US Data Privacy Framework, as well as the Swiss-US Data Privacy Framework where applicable).

Analytics cookies are set only with your consent. You may withdraw your consent at any time via the cookie banner.

Further information: https://policies.google.com/privacy https://tools.google.com/dlpage/gaoptout

We disclose personal data only where necessary for the purposes described in this Privacy Policy. Recipients may include:

• (a) Service providers acting as our processors, including providers of website hosting, IT infrastructure, e-mail, analytics, customer relationship management and KYC/AML services (notably SumSub for identity verification). These providers process personal data only on our instructions and under appropriate contractual safeguards.
• (b) Custodian banks and other regulated counterparties, where necessary to provide our services to (prospective) business partners.
• (c) Auditors, lawyers, tax advisors and other professional advisors bound by confidentiality obligations.
• (d) The Financial Services Standards Association (VQF), the Swiss Financial Market Supervisory Authority FINMA, the Money Laundering Reporting Office Switzerland (MROS) and other competent authorities, where required by law.
• (e) Group companies, acquirers or merger partners in the context of a corporate transaction, subject to confidentiality.

Some of our service providers are located outside Switzerland and the European Economic Area (EEA). Where we transfer personal data to a country that does not offer an adequate level of data protection, we implement appropriate safeguards, such as EU Standard Contractual Clauses, the Swiss addendum to such clauses, and / or reliance on recognised adequacy frameworks (e.g. EU-US Data Privacy Framework).

A copy of the safeguards in place can be requested by contacting privacy@safirum.com.

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law. In particular:

• (a) Data collected through the Website and analytics: typically retained for up to 26 months, unless required for longer.
• (b) Business communications and contractual records: retained for the duration of the business relationship and afterwards in accordance with legal retention periods (in particular Art. 958f of the Swiss Code of Obligations: 10 years).
• (c) KYC, KYB and AML records: retained for at least 10 years from the end of the business relationship or the transaction, in accordance with Swiss AMLA requirements.

We take appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, loss or disclosure. These measures are reviewed and updated regularly to reflect the state of the art and the risks associated with processing.

Subject to applicable law, you have the following rights in relation to your personal data:

• (a) Right of access — to obtain confirmation of whether we process personal data about you, and a copy of such data.
• (b) Right to rectification — to have inaccurate or incomplete data corrected.
• (c) Right to erasure — to have personal data deleted, subject to our legal and contractual retention obligations.
• (d) Right to restriction — to restrict processing in certain circumstances.
• (e) Right to object — to object to processing based on legitimate interests, including direct marketing.
• (f) Right to data portability — to receive personal data you have provided to us in a structured, commonly used format (where processing is based on consent or contract and carried out by automated means).
• (g) Right to withdraw consent — to withdraw any consent given, with effect for the future.

To exercise these rights, please contact us at privacy@safirum.com. We may need to verify your identity before responding.

You also have the right to lodge a complaint with a competent data protection authority. In Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC), www.edoeb.admin.ch. In the EU, you may contact the supervisory authority in your country of residence.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The current version is always available at www.safirum.com/privacy. Material changes will be communicated by appropriate means.