Data Privacy Statement

Effective as of February 2026

This data privacy statement applies to DrivenUp AG, a company incorporated in Switzerland with its registered office at Oberallmendstrasse 18, 6300 Zug, Switzerland (the "Company" or "We").

Data privacy and protection is of particular importance to the Company. When we collect personal information from and about you we will only process such information in accordance with applicable laws and regulations and in the manner stated below.

We process personal data only where we have a valid legal basis to do so under applicable data protection law. Where processing is based on your consent, we will obtain such consent separately where required.

Our privacy policy may be adapted over time, in particular if we modify our data processing or if new legal provisions become applicable, notably under the European data protection regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP).

Definitions

Data protection law regulates the processing of Personal Data. "Personal Data" means any information relating to or that can be associated with an individual. The term "processing" refers to all the handling of your personal data, including its collection, storage, management, use, transmission, disclosure or deletion.

Responsibility for data processing

The owner of the data collection including Personal Data and the person responsible for data processing is the Company. If you have any questions regarding this data privacy policy or the processing of your personal data, please do not hesitate to contact us at: contact@drivenup.com.

Scope of application

This data protection declaration applies to the activity deployed on our website https://www.drivenup.com/ and in our electronic applications. This data protection declaration applies to the processing of personal data already collected and those that will be collected in the future.

This privacy statement does not apply if another company is responsible for processing certain data. Another company may, for example, be responsible, alone or jointly with us, for the processing of certain data when you visit our social media presentations or if you interact with plugins integrated into our websites, or when you visit a third-party website to which we have established a link, or when we transmit personal data to third parties. In these cases, please consult the privacy statement of the company concerned, which you can usually find on its website.

Processing and use of personal data

We process personal data to facilitate business relationships with our customers, to comply with our legal obligations, and to serve our legitimate business purpose and interests. This may involve processing on the following basis:

• Performance of a contract: processing necessary to enter into or perform a contract with you or your organization (e.g., communications concerning the services provided to customers; creation and management of customer accounts and identifiers for these accounts, including the evaluation of applications to start or expand the use of our services).
• Compliance with legal obligations: processing necessary to comply with legal or regulatory obligations.
• Legitimate interests: processing necessary for our legitimate interests as described in this Privacy Policy, provided that such interests are not overridden by your interests or fundamental rights and freedoms.
• Consent: where required by applicable law, we will rely on your consent. You may withdraw consent at any time with effect for the future.

Categories of personal data processed

We may process in particular the following categories of personal data:

• identification and contact data (e.g. name, business address, email, telephone number);
• professional and business-related information (e.g. employer, job title, role);
• account and contractual data (e.g. customer account details, transaction data, communications);
• technical and usage data (e.g. IP address, device identifiers, log data, website usage information);
• marketing and communication preferences; and
• any other information you voluntarily provide to us in the course of our business relationship.

Source of personal data

We generally collect personal data directly from you or from the organization you represent. We may also receive personal data from our customers, business partners, publicly available sources or from service providers acting on our behalf.

Website usage data is captured using first and third-party cookies and other tracking technologies to determine online activity.

When required by law, we will obtain your consent before using cookies or similar technologies on our website for advertising or analytics purposes.

Disclosure of personal data

We do not sell or make your personal data available to marketing professionals or unaffiliated third parties. We share your personal data only with trusted entities, as set out below.

• Intra-group communication. We may share personal data with other group companies so that you can benefit from our services and for internal administrative management purposes.
• Service providers. We share personal data with a limited number of our service providers. We work with various service providers to provide you with certain services on our behalf, including payment services, identity verification, web hosting, data analysis, information technology provision and others related infrastructure, customer service, email distribution and audit. These service providers may need to access personal data to provide these services to you. We authorize these service providers to use or disclose personal data only when it is necessary for the provision of services on our behalf or when required by law. We require these third-party partners to formally agree to protect the security and confidentiality of the personal data they process on our behalf. The majority of our service providers are in the European Union or the United States of America.
• Commercial Partners. We share personal data with our third-party business partners when necessary to enable us to provide our services to our customers.
• Our customers and third parties to which our customers have given their agreement. We share personal data with customers when it is necessary to maintain a customer account and for the purposes of providing our services. We share data with parties to whom a client has granted direct sharing permission.
• Business transactions. When we conclude or seek to conclude a transaction which modifies the structure of the Company, as in the case of a restructuring, merger, sale, joint venture, transfer, change of control or any other alienation of the Company, the Company's share capital or shares, in whole or in part, we may exchange personal data with third parties in order to facilitate and execute the transaction.
• Compliance and prevention of harm. We share personal data when we believe it is necessary: (i) to comply with applicable law or applicable payment rules; (ii) to enforce our contractual rights; (iii) to protect the rights, privacy, security and property of the Company or third parties or yours; and (iv) to satisfy requests which may come from a court, law enforcement agency, regulatory authority or any other public and governmental authority, which may include an authority located outside your country of residence.

International data transfer

Personal data may be stored and processed in any country where we are active or where we work with service providers. We may transfer personal data about you in our possession to recipients located in countries other than the country where it was first collected. These countries may have data protection rules different from those in force in your country but offering an adequate level of data protection. If personal data would be transferred to countries that do not provide an adequate level of protection according to Swiss or EU data protection law, we implement appropriate safeguards, in particular the execution of standard contractual clauses approved by the European Commission or the competent Swiss authority or rely on another lawful transfer mechanism provided by applicable law.

Security of personal data

We strive to maintain a level of security adapted to the risk associated with the processing of personal data. Within the Company, we take organizational, technical and administrative measures to prevent illicit access to your personal data, as well as their destruction, loss, alteration or hijacking. Only employees who need access to your personal data to carry out their professional tasks will have access to it.

Data retention

We retain personal data only for as long as necessary for the purposes for which it was collected, including for the performance of contractual obligations, compliance with legal obligations, dispute resolution and enforcement of our rights.

If you are a customer, we keep your personal data for the duration of the service contract which binds us to you. We keep your personal data after we stop providing services to you to the extent necessary to comply with our legal and regulatory obligations and for fraud surveillance, prevention and detection purposes. We also keep your personal data in order to comply with our tax, accounting and financial obligations. When we store data, we do so in accordance with applicable limitation periods and statutory retention obligations (which may be up to 10 years under Swiss law).

Where personal data is no longer required, it will be securely deleted or anonymized in accordance with applicable law.

Your rights regarding the processing of personal data

You have the right to object to the processing of your data when we process your personal data on the basis of legitimate interest. You can also object at any time to the processing of data relating to direct advertising (e.g. advertising e-mails). If the required conditions are met and no legal exception applies, you also have the following rights:

• Right to information: you have the right to transparent, clear, comprehensible and exhaustive information on the way in which we process your personal data and on the rights which you benefit in this context. This is the aim pursued by this data protection declaration. Do not hesitate to contact us for any additional information.
• Right to obtain communication of data that concerns you: you have the right to request free information at any time on the entirety of the data saved with us which concerns you. You therefore have the possibility of checking which personal data concerning you we process. In isolated cases, the right to information may be restricted or excluded, particularly if there are doubts as to identity or if this is necessary for the protection of others.
• Right to rectification: you have the right to have inaccurate or incomplete personal data corrected or completed and to be informed of this rectification.
• Right to erasure: you have the right to demand the deletion of your personal data when they are no longer necessary for the purposes pursued, that you revoke your authorization or that you have opposed the processing, or when they are treated unlawfully. In isolated cases, the right of erasure can be excluded, in particular when the processing is necessary for the exercise of freedom of expression or to assert legal rights.
• Right to restriction of processing: under certain conditions, you have the right to request that the processing of your personal data be limited. This could for example mean that personal data is no longer (until further notice) processed or that published personal data is (until further notice) deleted from a website.
• Right to data portability: you have the right to receive from us personal data that you have made available to us in a structured, customary and machine-readable format, insofar as the concrete processing of data is based on your authorization or is necessary for the performance of a contract, and that the processing takes place via automated processes.
• Right of revocation: to the extent that we process your personal data on the basis of an authorization, you have the right to revoke your authorization at any time. Revocation only applies in the future; processing activities based on your consent in the past will not become illegal as a result of your revocation.

Finally, you can lodge a complaint with a responsible supervisory authority concerning the type and method of processing of your personal data, if you consider that the processing of the data is contrary to the legislation in force. The competent supervisory authority in Switzerland is the Federal Data Protection and Transparency Officer (PFPDT) – https://www.edoeb.admin.ch.

If you are located in the European Economic Area, you also have the right to lodge a complaint with the data protection supervisory authority of your habitual residence, place of work or place of the alleged infringement.

Use by minors

Our services are not intended for minors and we ask them not to submit personal data to us through our platforms.