03/10/2022

INFORMATION PURSUANT TO ARTICLE 13 OF EU REGULATION 2016/679 AND NATIONAL LEGISLATION, IN FORCE REGARDING THE PROTECTION OF PERSONAL DATA:

NOOSA INNOVATION Ltd. (hereinafter, “Noosa”), headquartered in Tel Aviv (Israel), 6993516, at 27 Hamatzbeim street, provides below the information pursuant to Article 13 of the EU Regulation 2016/679 and the applicable national legislation on the protection of personal data (hereinafter, “GDPR”) as the Data Controller of the personal data concerning the data subject when the data subject uses Noosa’s IT services.

Purposes of the processing and optional or mandatory nature of providing personal data.

Personal data, are processed by Noosa for the following purposes:

1. a) fulfillment of obligations required by law, regulations, EU legislation, as well as provisions issued by the competent Authorities or Supervisory and Control Bodies. The provision of personal data for these purposes is necessary because failure to provide the data will prevent Noosa from performing the requested activity that presupposes the fulfillment of a legal obligation by Noosa. The legal basis for processing is identified in the fulfillment of legal obligations;

2. b) performance of activities necessary and strictly related and instrumental to the management of contractual relations (e.g. initiation of payment, aggregate statistical processing, fraud prevention, including through identity verification tools, comparison of data for accuracy). The provision of personal data for this purpose is functional to the activities required for the conclusion and execution of contractual relationships and, for these purposes, it is necessary since any refusal to provide them would result in the impossibility of executing the payment transaction. The relevant processing, including communication to the categories of subjects described below, does not require the consent of the data subject. The legal basis for the processing is the performance of contractual obligations;

3. c) management of information technology services supporting the payment process of the merchant lender of a good/service and the exchange of information between the latter and a possible assignee of receivables, with particular regard to the acquisition and management of customer data necessary for the purpose of the merchant lender of goods/services granting a deferred payment of the purchase price of the goods/services marketed and the related possible assignment of the credit to third-party assignees. The provision of personal data for this purpose is functional to the activities required for the conclusion and execution of contractual relationships and, for these purposes, it is necessary because any refusal to provide them would make it impossible to perform the data exchange operations functional to the management of computer services supporting the merchant’s payment process, including the granting of payment deferrals by merchants and the assignment of the related receivables to third-party assignees. The legal basis for processing is the performance of contractual obligations.

4. d) if envisaged by NOOSA insert any marketing purposes of its own not currently envisaged (in which case express and optional specific consents will have to be provided).

Legal Basis

The legal basis is the fulfillment of laws and the performance of contractual obligations.

Methods of personal data processing

The processing of your personal data will be carried out, in compliance with the provisions of the GDPR, by means of paper, computer or telematic tools, with logics strictly related to the indicated purposes and, in any case, in such a way as to guarantee their security and confidentiality in accordance with the GDPR and current regulations.

Persons to whom personal data may be communicated

Personal data may be communicated by Noosa to third parties, including within the territory of the European Union, who will process them as autonomous data controllers or data processors:

• for legal obligations, regulations and EU legislation or for activities related and instrumental to the performance of contractual obligations;in connection with the exchange of information functional to the management of IT services supporting the payment process of the merchant lender of a good/service, including the granting by the merchant of a non-burdensome deferred payment of the purchase price of the goods/services marketed and the possible assignment of credit, from the merchant to a payment institution. Merchants, payment or electronic money institutions, credit institutions and related companies will act as independent data controllers.The names of the entities belonging to the above categories, which may also be located within the territory of the European Union, are available at the registered office of Noosa. For the processing of data Noosa uses employees and collaborators of the units in charge of the relevant activities in charge of the processing. For some activities, Noosa (e.g., data subject identity verification services; IT services; transmission, enveloping, transport and sorting of correspondence activities; registration services by scanning, photocopying and archiving of documents; administrative services) uses third parties as Data Processors pursuant to Article 28 of the GDPR.

Data retention

Noosa processes and retains personal data for the duration of the contractual relationship, for the performance of the fulfillments inherent and consequent thereto, for compliance with applicable legal and regulatory obligations, as well as for its own or third parties’ defensive purposes, and until the expiration of the applicable statutory limitation period, commencing on the date of closure of the data subject’s personal profile. At the end of the applicable retention period, personal data referable to data subjects will be deleted or retained in a form that does not allow the identification of the data subject (e.g. irreversible anonymization), unless their further processing is necessary for one or more of the following purposes: i) resolution of pre-litigation and/or litigation initiated prior to the expiration of the retention period; ii) to follow up on investigations/inspections by internal control functions and/or external authorities initiated prior to the expiration of the retention period; iii) to follow up on requests from Italian and/or foreign public authorities received/notified to Noosa prior to the expiration of the retention period.

Rights of the data subject

The subjects to whom the personal data refer have the right at any time to obtain from Noosa confirmation of the existence or non-existence of the same data and to know its content and origin, verify its accuracy or request its integration or updating, or rectification (Articles 15 and 16 of the GDPR).

In addition, data subjects have the right to request the deletion, restriction of processing, revocation of consent, and portability of data as well as to lodge a complaint with the supervisory authority and to object in any case, for legitimate reasons, to their processing (Art. 17 et seq. of the GDPR).

These rights may be exercised by written notice to be sent to the Data Protection Officer at the registered office of Noosa. Noosa, also through its designated facilities, will take care of your request and provide you, without undue delay, with information regarding the action taken regarding your request.

Data Controller

The data controller is Noosa.