DEFINITIONS

Data Subject — a natural person whose personal data we process;

GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (General Data Protection Regulation);

Personal Data (PD) — any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Applicable Law —  all applicable European Union legislation and all applicable legislation of the Republic of Estonia, including, but not limited to, the domestic implementing acts of the GDPR, which are in force at the time of this Policy or will come into force after the Policy is established;

User or you - a natural or legal person who uses or has intention to use DILIZY and Services;

LUXSTEEL or we or the Controller – LUXSTEEL OÜ, registered number 12178223 and registered address: Graniidi 1, 10413 Tallinn, Estonia.

Database — a database managed by the Controller;

隐私政策 — this personal data processing document;

Content — Works, data and other materials added to the Database by the Controller or Users;

Services — all services offered to Users through DILIZY in accordance to the Agreement;

Controller — a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. For the purposes of these terms and conditions, LUXSTEEL is the controller of personal data;

Authorized Processor — a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Website means a web page created by the User within the Dealer Management System to facilitate sales and advertisement of the vehicles;

Website User means visitors and/or registers users of the Website.

We play a few different roles under Applicable Laws when it comes to Personal Data. In order to understand your and LUXSTEEL’s obligations, it’s important to understand the difference between LUXSTEEL Controlled Personal Data and User Controlled Personal Data.

• “LUXSTEEL Controlled PD” means personal information for which WE determine the purposes and means of processing. This Privacy Policy only addresses LUXSTEEL Controlled PD.

• “User Controlled PD” means personal information for which a User determines the purposes and means of processing. For User Controlled PD, We act as a data processor, service provider or similar term under applicable law. User Controlled PD includes User Content and Website Users' personal data described in Section 2 that we host and process on behalf of our Users. Our Users tell us what we do with User Controlled PD on our Users’ instructions. Our Users are responsible for ensuring that their collection and processing of User Controlled PD complies with applicable law.

If you are a User looking for contractual provisions about how LUXSTEEL will treat and secure User Controlled PD, please see our Data Processing Addendum . We explain below how we collect and use LUXSTEEL Controlled PD and your rights.

If you are a Website User of one of our User’s sites and want to know how a User handles your information, you should check the respective site's privacy policy.

1. PERSONAL DATA WE COLLECT

1.1. Information YOU provide for the User registration:

• Contact data first name, surname, email address.

• User related information: username, password (encrypted and securely stored), preferred communication language.

Legal basis for the processing:  Article 6 (1) (b) of the GDPR, after termination of the contract Article 6 (1) (f) of the GDPR.

Retention period up to 3 years after termination of the contract (Art. 146(1) An Act on the General Part of the Civil Code).

1.2. Information YOU provide to enable the Service provision and information WE collect during the Service provision:

• Contact data: name and surname, personal identification number, e-mail address, telephone number, date of birth, tax identification number, photo identification and nationality. To verify your identity, we may request a copy of your identification document. This document will be used solely for verification purposes and will not be retained by us. If we use third-party services for verification, we will only do so if we have Data Processing Agreements in place with those providers.

• User-related information: username, password (encrypted and securely stored), communication language.

• Information related to User transactions: information about transactions, such as listed/sold vehicles and spare parts (i.e. their images, description, cost), in the case of a vehicle sale also the vehicle registration number, VIN code, vehicle location and other vehicle documentation related to the insurance, maintenance etc. Please note that by sending the vehicle identification number (VIN) of the advertised or managed vehicles as part of using the services (e.g. when creating or automatically transmitting an advertisement), You grant DILIZY the right to permanently save the VIN and to use it for analysis purposes and to improve the services (increasing the quality of the advertisements, transparency, fraud prevention) and to transmit it for these purposes to third parties for the clear identification of the vehicle. You may send only valid VIN in a standard format.

• IP addresses, preferences, web pages you visited prior to coming to Website, information about your browser, network or device (such as browser type and version, operating system, internet service provider, preference settings, unique device IDs and language and other regional settings), information about how you interact with the Services and Websites (such as timestamps, clicks, scrolling, browsing times, searches, transactions, referral pages, load times, and problems you may encounter, such as loading errors).

Legal basis Article 6(1) (b) of the GDPR, after termination of the contract Article 6(1) (f) of the GDPR.

Retention period up to 3 years after termination of the contract (Art. 146(1) An Act on the General Part of the Civil Code).

1.3. Information WE collect during communication and submitting reviews:

• Information relating to the requests and reviews (complaints, inquiries, suggestions, or other communications): content of the request, contact details of the User (first name, surname, e-mail address).

Legal basis Article 6(1) (b) of the GDPR, after termination of the contract Article 6(1) (f) of the GDPR.

Retention period up to 3 years after termination of the contract (Art. 146(1) An Act on the General Part of the Civil Code).

1.4. Information WE process for the advertising and marketing purposes:

• Contact details: name and surname, e-mail address.

Legal basis Article 6 (1) (a) of the GDPR.

Retention period until consent is withdrawn

For marketing purposes, we retain information about Users who have shown interest in our products or services (but haven't become registered customers yet) for 12 (twelve) months. This is how long our usual marketing campaigns last.

1.5. Information WE collect when processing payment data:

• Information related to the invoice, such as paid and unpaid invoices with dates, bank account number, etc.

• Accounting documents required for the performance of a legal obligation

Legal basis Article 6(1) (b) of the GDPR, after termination of the contract, Article 6(1) (f) or Article 6(1) (c) of the GDPR.

Retention period up to 3 years after the provision of the service (Art. 146(1) An Act on the General Part of the Civil Code) or, to the extent that accounting documents are concerned, 7 years pursuant to the Accounting Act (Art. 12(4) RPS).

2.  PERSONAL DATA OF THE WEBSITE USERS.

Users who have created a Website using DILIZY are responsible for what they do with the personal data they collect, directly or through DILIZY, about their Website Users where they are a controller for such processing.

a. Your relationship with Website Users:

You will collect personal information about your Website Users. For example, YOU may ask for their name, address, e-mail address and payment information so that you can complete the sales. You may also use cookies and similar technologies to analyze usage and other trends.

You're solely responsible for complying with any laws and regulations that apply to your collection and use of your Website Users’ information, including personal information you collect about them from us or using DILIZY functionality or cookies or similar technologies. Please be aware that you and DILIZY may be independent controllers of some data (“Independently Controlled Data”). Independently Controlled Data includes data related to your Website Users’ interactions with Your Site such as IP address, device/browser details, web pages visited prior to coming to Your Site and browsing activity on Your Site. Independently Controlled Data may be collected by the Services through a Website User’s browser and technologies like cookies. Note that Independently Controlled Data is LUXSTEEL Controlled PD with respect to processing by LUXSTEEL (we determine the purposes and means of the processing) and User Controlled PD with respect to processing by a User (for which the User determine the purposes and means of the processing).

You must publish your own privacy and cookie policies and comply with them.

We’re not liable for your relationship with your Website Users or how you collect and use personal information about them (even if you collect it from us or using DILIZY functionality or cookies or similar technologies) and we won’t provide you with any legal advice regarding such mattersb. Website User payment information.

If you integrate Website with a third party e-commerce Payment Processors, Website Users’ payment information may be processed via third party e-commerce Payment Processors, in accordance with such e-commerce Payment Processors’ terms and policies. We transmit Website Users’ complete payment information when they initially provide or update it only so that we can pass it along to the e-commerce Payment Processors you agree to use. With respect to such third party e-commerce Payment Processors integrated with Website, we don’t collect or store your Website Users’ payment information.

3. HOW WE USE YOUR PERSONAL DATA.

3.1. We process Personal Data for the following purposes:

• Service Provision. Create and manage your account, provide and personalize our Services, process payments and respond to your inquiries etc.

• Communication. Sending you emails about your activities with DILIZY and other Service-related announcements; administer surveys, contests and other promotions.

• Promotion. Promote our Services and send you tailored marketing communications about products, services, offers, programs and promotions of DILIZY and our partners and measure the success of those campaigns. For example, we may send different marketing communications to you based on your subscription plan or what we think may interest you based on other information we hold about you.

• Advertising . Analyze your interactions with our Services and third parties’ online services so we can tailor our advertising to what we think will interest you. For example, we may choose to serve you a particular advertisement based on your subscription plan or what we think may interest you based on other information we hold about you.

• Customizing the Services. Provide you with customized services. For example, we use your location information to determine your language preferences or display accurate date and time information. We also use cookies and similar technologies for this purpose.

• Improving our Services. Analyze and learn about how the Services are accessed and used, evaluate and improve our Services (including by developing new products and services and managing our communications) and monitor and measure the effectiveness of our advertising. We usually do this based on anonymous, pseudonym zed or aggregated information which does not identify you directly.

• Security. Ensure the security and integrity of our Services.

• Third party relationships . Manage our vendor and partner relationships.

• Enforcement. Enforce our Terms of Service and other legal terms and policies.

• Protection . Protect our and others’ interests, rights and property (e.g., to protect our Users from abuse).

• Complying with law . Comply with applicable legal requirements, such as Anti-Money Laundering, Tax and other government regulations and industry standards, contracts or law enforcement requests.

3.2. We process Personal Data for the above purposes only when :

• Consent. You have given us your explicit consent to process your Personal Data, the legal basis for processing your Personal Data is your consent. In such cases, we will only process your Personal Data for the purposes and to the extent specified in the consent. Please note that once you have given us your consent to process your Personal Data, you have the right to withdraw your consent at any time. The legal basis for the processing of Personal Data for such processing is Article 6(1) (a) of the GDPR.

• Performance of Contract. We process Personal Data primarily for the provision of services and the performance of contractual obligations. The legal basis for the processing of Personal Data for the purposes of the provision of the service is Article 6(1) (b) of the GDPR (processing of Personal Data is necessary for the performance of a contract entered into with the involvement of the Data Subject or for the performance of pre-contractual activities at the request of the Data Subject).

• Compliance with a legal obligation. We will process Personal Data where it is necessary to comply with legal obligations to which it is subjected. For example, where we are required to provide Personal Data by a court pursuant to a valid court order or judgment, or where we are required to provide Personal Data by a law enforcement authority pursuant to a valid regulation. Also, if we are required to retain Personal Data under, for example, the Accounting Act or other applicable law. The legal basis for the processing of Personal Data for such processing is Article 6(1) (c) of the GDPR (processing of Personal Data is necessary for compliance with a legal obligation to which the controller is subject).

• Compliance with the Anti-Money Laundering requirements. We process Personal Data to comply with Anti-Money Laundering (AML) requirements and ensure we are not engaging with individuals involved in illegal activities, we process personal data to identify our clients. This may include collecting information such as your name, date of birth, address, identification number, and identity documents.

• Legitimate interest. In certain cases, we may also process Personal Data where it is necessary for our legitimate interests. In such cases, the legal basis for the processing of Personal Data is Article 6(1) (f) of the GDPR. We will only process Personal Data on the basis of legitimate interest where such processing is not overridden by the interests or fundamental rights and freedoms of the Data Subject on whose behalf the Personal Data must be protected. We will only process data on the basis of a legitimate interest which has been obtained from the Data Subject or has arisen in the course of the performance of a contract. We may have a legitimate interest to process Personal Data where it is necessary for the establishment, exercise or defense of legal claims. For example, such a need may arise in a situation where the Data Subject is in breach of contract (e.g. illegal transactions, false advertisement etc.). Data processed on the basis of legitimate interest will be kept for a statutory period of 3 years after the provision of the service.

4. YOUR RIGHTS, AS A DATA SUBJECT.

• Right of access : the right to ask us at any time whether or not we hold Personal Data about him or her and to be informed of what Personal Data we are processing about him or her;

• Right to rectification of personal data : the right to request us to rectify or correct his or her Personal Data if it is insufficient, incomplete or incorrect;

• Right to object : the right to object to the processing of your Personal Data by us, for example, where the use of your Personal Data is based on our legitimate interest;

• Right to request the erasure of Personal Data : the right to request the erasure of Personal Data, for example where Personal Data is processed with the consent of the Data Subject and the Data Subject has withdrawn consent;

• Right to restriction of processing : the right to request that we restrict the processing of Personal Data on the basis of the Applicable Law, for example where we no longer need to process the Personal Data

• Right to withdraw consent to the processing of Personal Data : where the processing of Personal Data is based on the consent of the Data Subject, the Data Subject has the right to withdraw the consent given to us at any time;

• Right to data portability: the right to receive from us Personal Data which the Data Subject has provided to us and which are processed on the basis of the Data Subject's consent or in order to perform a contract with the Data Subject, in written form or in a commonly used electronic format, and, where technically feasible, to request that we transfer such data to another Data Controller;

• Right to change and modify Personal Data. You can change provided Personal Data through your personal account or by sending request to this e-mail address: gdpr@dilizy.ai

• Right to submit a complaint.

The rights listed here are not exhaustive rights. In certain cases, the rights of other Data Subjects or our legal obligations may limit your rights.

You can also request the deletion of your Personal Data, anonymization, or the export of the provided Personal Data in a structured, commonly used, machine-readable format by sending a corresponding request to this email address: gdpr@dilizy.ai .

The deletion, data export and anonymization requests will be fulfilled within 3 (three) business days after confirmation of the request, provided there are no legal obligations to retain such Personal Data. We maintain a record of all requests to ensure compliance with legal requirements.

5. TRANSFERS OF PERSONAL DATA AND AUTHORISED PROCESSORS.

5.1. We will not transfer Personal Data to third parties, except where we have a legal right to do so under Applicable Law.

5.2. Personal data may be transferred outside the European Union for processing by our partners or service providers located in third countries. In such cases, we take the necessary measures to ensure adequate protection of your data, in accordance with EU Data Protection laws, in particular through the use of standard contractual clauses or other appropriate mechanisms.

5.3. We may engage Authorized processors to process personal data. These authorized processors, who are permitted to process personal data only under limited circumstances, include various service providers necessary for the functioning of DILIZY, such as payment processors.”

5.4. Our Authorized Processors are trusted partners who are contractually obligated to process personal data in compliance with Applicable law and Data Processing Agreements.

6.  DATA PROTECTION

6.1. We are ensuring the security of the processing of Personal Data in order to protect Personal Data against accidental or unauthorized processing, disclosure or destruction.

6.2. We take the security of your personal data seriously. We use up-to-date technology and security measures to protect your information, and we regularly assess the risks involved in processing different types of data.

6.3. DILIZY provides tools to assist Users with AML compliance. However, each User is independently responsible for ensuring that all data processing activities comply with applicable law, including accuracy and legality.

7. OTHER PROVISIONS

7.1 Subject to changes in legislation or practice, we reserve the right to amend this Privacy Policy and the amended text will be published immediately. We will notify you of all amendments by email.

7.2. If you have questions, comments or complaints about this Privacy Policy or our privacy practices or if you would like to exercise your rights, please email us at gdpr@dilizy.ai , or write to us at the addresses below:

LUXSTEEL OÜ

Attention: Legal – Privacy

Graniidi 1, 10413 Tallinn, Estonia

DATA PROCCESING ADDENDUM

EFFECTIVE DATE: 01/03/2025

This DILIZY Data Processing Addendum (this "DPA") forms part of, and is subject to the provisions of, the DILIZY General Terms and Conditions (Terms). Capitalized terms that are not defined in this DPA have the meanings set forth in the Terms and Privacy Policy.

DEFINITIONS.

Breach means a breach of the Security Measures resulting in access to  equipment or facilities storing Your Controlled Data and the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Your Controlled Data transmitted, stored or processed by LUXSTEEL on your behalf and instructions through the Services.

Data Subject — a natural person whose personal data we process;

GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (General Data Protection Regulation);

Personal Data (PD) — any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Applicable Law —  all applicable European Union legislation and all applicable legislation of the Republic of Estonia, including, but not limited to, the domestic implementing acts of the GDPR, which are in force at the time of this Policy or will come into force after the Policy is established;

User or you — a natural or legal person who uses DILIZY and Services;

LUXSTEEL or we, us, our or the Controller – LUXSTEEL OÜ, registered number 12178223 and registered address: Graniidi 1, 10413 Tallinn, Estonia.

Processor means natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Services — all services offered to Users through DILIZY in accordance to the Agreement;

Controller — a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. For the purposes of these terms and conditions, LUXSTEEL is the controller of personal data;

Website/s means a web page created by the User within the Dealer Management System to facilitate sales and advertisement of the vehicles;

Website User/s means visitors and/or registers users of the Website.

Covered Data means your User Content, including without limitation text, photos, images, audio, video, code, and any other materials provided to us by you or your Website User.

Security Measures means the technical and organizational security measures applied by the LUXSTEEL.

Sub-Processor means an entity engaged by DILIZY to process Your Controlled Data.

Your Controlled Data means any personal data included in the Covered Data. Your Controlled Data is data for which you determine the purposes and means of processing and for which LUXSTEEL acts on your behalf as a processor, service provider or similar term under applicable Data Protection Laws.

1.     APPLICABILITY.

This DPA only applies to you if and to the extent LUXSTEEL and the Services process Your Controlled Data on your behalf. This DPA does not apply to you if: (a) your Covered Data does not include any personal data; or (b) Data Protection Laws do not apply to your Covered Data.

You agree that LUXSTEEL is not responsible for personal data that you have decided to process through Third Party Services or otherwise outside of the Services, including the systems of any other third party cloud services, offline or on-premises storage.

2.     DATA PROCESSING .

2.1. Subject Matter. The subject matter of the data processing under this DPA is Your Controlled Data.

2.2. Duration. As between you and us, the duration of the data processing under this DPA is determined by you.

2.3. Purpose. The purpose of the data processing under this DPA is the provision of the Services initiated by you from time to time. In connection with providing the Services, we may process Your Controlled Data for business purposes such as: (a) maintaining and servicing your Account(s); (b) serving and rendering your Websites to your Websites Users; (c) enabling you to transact and communicate with your Websites Users; (d) providing analytics, auditing or verifying events related to Websites Users’ visits to your Websites; (e) ensuring the security and integrity of the Services; and (f) debugging, and improving the Services.

2.4. Nature of the Processing. The Services as described in the Agreement and initiated by you from time to time.

2.5. Type of Personal Data. Your Controlled Data relating to you, your Websites Users or other data subjects whose personal data is included in Covered Data which is processed as part of the Services in accordance with instructions given through the Services.

2.6. Categories of Data Subjects. You, Your Websites Users and any other individuals whose personal data is included in Covered Data.

3 . PROCESSING ROLES AND ACTIVITIES .

3.1. You are the Controller and LUXSTEEL is the Processor of Your Controlled Data.

3.2. LUXSTEEL as Controller. We may also be an independent controller for some personal data relating to you or Websites Users. Please see our 隐私政策 and Terms for details about this personal data which we control. We decide how to use and process that personal data independently and use it for our own purposes. When we process personal data as a controller, you acknowledge and confirm that the Agreement does not create a joint-controller relationship between you and us. If we provide you with personal data controlled by us, such as in any access to data regarding your Website Users’ interactions with Website, you receive that as an independent data controller and are responsible for compliance with Aplicable Laws in that regard.

3.3. Processing Activities. We will process Your Controlled Data for the purpose of providing you with the Services, as may be used, configured or modified through the Services (the “Purpose”). For example, depending on how you use the Services, we may process Your Controlled Data in order to: (a) enable you to integrate content or features from a social media platform on Website; or (b) email Websites Users on your behalf.

3.4. Compliance with Laws. You will ensure that your instructions comply with all laws, regulations and rules applicable in relation to Your Controlled Data (including Aplicable Laws) and that Your Controlled Data is collected lawfully by you or on your behalf and provided to us by you in accordance with such laws, rules and regulations. You will also ensure that the processing of Your Controlled Data in accordance with your instructions will not cause or result in us or you breaching any laws, rules or regulations (including Aplicable Laws). You are responsible for reviewing the information available from us relating to data security pursuant to the Agreement and making an independent determination as to whether the Services meet your requirements and legal obligations as well as your obligations under this DPA. LUXSTEEL will not access or use Your Controlled Data except as provided in the Agreement, as necessary to maintain or provide the Services or as necessary to comply with the law or binding order of a governmental, law enforcement or regulatory body.

4.     OUR PROCESSING RESPONSIBILITIES.

4.1. How We Process. We will process Your Controlled Data for the Purpose and in accordance with the Agreement or instructions you give us through the Services. You agree that the Agreement and the instructions given through the Services are your complete and final documented instructions to us in relation to Your Controlled Data. Additional instructions outside the scope of this DPA require prior written agreement between you and us, including agreement on any additional fees payable by you to us for carrying out such instructions. We will promptly inform you if, in our opinion, your instructions infringe Applicable Laws, or if we are unable to comply with your instructions. We will notify you when applicable laws prevent us from complying with your instructions, except if such disclosure is prohibited by applicable law on important grounds of public interest, such as a prohibition under law to preserve the confidentiality of a law enforcement investigation or request.

4.2. Notification of Breach. We will provide you notice without undue delay after becoming aware of and confirming the occurrence of a Breach for which notification to you is required under Aplicable Laws. We will, to assist you in complying with your notification obligations under Applicable Laws (including Articles 33 and 34 of the GDPR), provide you with such information about the Breach as we are reasonably able to disclose to you, taking into account the nature of the Services, the information available to us and any restrictions on disclosing the information such as for confidentiality. Our obligation to report or respond to a Breach under this Section 4.2 is not and will not be construed as an acknowledgement by LUXSTEEL of any fault or liability of LUXSTEEL with respect to the Breach. Despite our foregoing obligations under this Section 4.2 do not apply to incidents that are caused by you, any activity on your Account(s) and/or Third Party Services.

4.3. Notification of Inquiry or Complaint. We will provide you notice, if permitted by applicable law, upon receiving: (a) an inquiry or complaint from a Website Users or other individual whose personal data is included in Your Controlled Data; or (b) a binding demand (such as a court order or subpoena) from a government, law enforcement, regulatory or other body in respect of Your Controlled Data.

4.4. Reasonable Assistance with Compliance. We will, to the extent that you cannot reasonably do so through the Services or otherwise, provide reasonable assistance to you in respect of your fulfillment of your obligation as controller to respond to requests by data subjects under Applicable Laws (including Chapter 3 of the GDPR), taking into account the nature of the Services and information available to us. To the extent required by Applicable Laws, you may ask us to assist you by verifying that we no longer retain or use any of Your Controlled Data related to a data subject who has made a valid request to you to delete their personal data. You will be responsible for our reasonable costs arising from our provision of any such assistance. It is expected that you will respond to our requests within ten business days or the timeframe specified in the request, whichever is shorter. Refusal to reasonable assist with compliance will be considered as a breach of Agreement.

4.5. We will maintain the Security Measures and the safeguards. We may change or update the Security Measures or safeguards but will not do so in a way that adversely affects the security of Your Controlled Data. We will take steps to ensure that any natural person acting under our authority who has access to Your Controlled Data does not process it except on our instructions, unless such person is required to do so under Applicable law, and that personnel authorized by us to process Your Controlled Data have committed themselves to relevant confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

4.6. Sub-Processors. You agree that we can share Your Controlled Data with Sub-Processors in order to provide you the Services. We will impose contractual obligations on our Sub-Processors, and contractually obligate our Sub-Processors to impose contractual obligations on any further sub-contractors which they engage to process Your Controlled Data, which provide the same level of data protection for Your Controlled Data in all material respects as the contractual obligations imposed in this DPA, to the extent applicable to the nature of the Services provided by such Sub-Processor. A list of our current Sub-Processors is available upon request by sending an email to gdpr@dilizy.ai. Provided that your objection is reasonable and related to data protection concerns, you may object to any Sub-Processor by sending an email to gdpr@dilizy.ai. If you object to any Sub-Processor and your objection is reasonable and related to data protection concerns, we will use commercially reasonable efforts to make available to you a means of avoiding the processing of Your Controlled Data by the objected-to Sub-Processor. If we are unable to make available such suggested change within a reasonable period of time, we will notify you and if you still object to our use of such Sub-Processor, you may cancel or terminate the Services or, if possible, the portions of the Services that involve use of such Sub-Processor. Except as set forth in this Section 4.6, if you object to any Sub-Processors, you may not use or access the Services. You consent to our use of Sub-Processors as described in this Section 4.6. Except as set forth in this Section 4.6 or as you may otherwise authorize, we will not permit any Sub-Processor to access Your Controlled Data. We will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of any Sub-Processor or their further sub-contractors that process Your Controlled Data and cause us to breach any of our obligations under this DPA, solely to the extent that LUXSTEEL would be liable under the Agreement if the act or omission was our own.

4.7. LUXSTEEL may (where required by Applicable Laws) use external or internal auditors to verify the adequacy of our Security Measures or as otherwise required by Applicable Laws.

4.8. Customer Audits and Information Requests. You agree to exercise any right you may have to conduct an audit or inspection by instructing LUXSTEEL to carry out the audit described in Section 4.7. You agree that you may be required to agree to a non-disclosure agreement with LUXSTEEL before we share any such report or outcome from such audit with you and that we may redact any such reports as we consider appropriate. If LUXSTEEL does not follow such instruction or if it is legally mandatory for you to demonstrate compliance with Applicable Laws by means other than reviewing a report from such an audit, you may only request a change in the following way:

a. First, submit a request for additional information in writing to us, specifying all details required to enable us to review this request effectively, including without limitation the information being requested, what form you need to obtain it in and the underlying legal requirement for the request (the “Request”). You agree that the Request will be limited to information regarding our Security Measures or as otherwise required by Applicable Laws.

b. Within a reasonable time after we have received and reviewed the Request, you and we will discuss and work in good faith towards agreeing on a plan to determine the details of how the Request can be addressed. You and we agree to use the least intrusive means for LUXSTEEL to address the Request, taking into account applicable legal requirements, information available to or that may be provided to you, the urgency of the matter and the need for us to maintain uninterrupted business operations and the security of its facilities and protect itself and its customers from risk and to prevent disclosure of information that could jeopardize our confidentiality or our users’ information.

You will pay our costs in considering and addressing any Request. Any information and documentation provided by us or our auditors pursuant to this Section 4.8 will be provided at your cost. If we decline to follow any instruction requested by you regarding audits or inspections, you may cancel any affected paid Services.

4.9. Questions. Upon your reasonable requests to us for information regarding our compliance with the obligations set forth in this DPA, we shall, where such information is not otherwise available to you, provide you with written responses, provided that you agree not to exercise this right more than one (1) time per calendar year (unless it is necessary for you to do so to comply with Applicable Laws). The information to be made available by us under this Section 4.9 is limited to solely that information necessary, taking into account the nature of the Services and the information available to LUXSTEEL, to assist you in complying with your obligations under Applicable Laws in respect of data protection impact assessments and prior consultation. You agree that you may be required to agree to a non-disclosure agreement with us before we share any such information with you.

4.10. Requests. You can delete or access a copy of some of Your Controlled Data through the Services. For any of Your Controlled Data which may not be deleted or accessed through the Services, upon your written request, we will, with respect to any of Your Controlled Data in our or our Sub-Processor’s possession that we can associate with a data subject, subject to the limitations described in the Agreement and unless prohibited by applicable law or the order of a governmental, law enforcement or regulatory body: (a) return such data and copies of such data to you provided that you make such request within no more than ninety (90) days after the cancellation of the applicable paid Services; or (b) delete, and request that our Sub-Processors delete, such data (excluding in the case of (a) or (b) any of such data which we maintain in order to comply with Applicable Law or as otherwise set forth in the Agreement). Otherwise, we will delete Your Controlled Data in accordance with our data retention policy.

5.     DATA TRANSFERS.

You will use the applicable Data Privacy Framework to lawfully transfer personal information received from the EEA, Switzerland and/or the UK to third countries, and ensure that it provides at least the same level of protection to such personal information as is required by Applicable Laws. Otherwise, you will not transfer Your Controlled Data outside EEA.

6.     LIABILITY.

The liability of each party under this DPA is subject to the exclusions and limitations in the Agreement. You will indemnify LUXSTEEL for any regulatory penalties, claims by data subjects, or other liabilities arising from your failure to comply with the Agreement, this DPA, or Applicable Laws in relation to Your Controlled Data. These amounts will offset our maximum aggregate liability to you.

7.     MISCELLANEOUS.

You are responsible for any costs and expenses arising from LUXSTEEL’s compliance with your instructions or requests pursuant to the Agreement (including this DPA) which fall outside the standard functionality made available generally through the Services.

8.     MODIFICATIONS TO THIS DPA.

We may modify this DPA from time to time, and will post the most current version on our site. If a modification meaningfully reduces your rights, we may notify you in accordance with the procedures set forth in our Terms . By continuing to use or access the Services after any modifications come into effect, you agree to be bound by the modified DPA. If you disagree with our changes, then you must stop using the applicable Services and cancel the applicable paid Services.