1. Responsible Body (Controller) The responsible body (Controller) within the meaning of the General Data Protection Regulation (GDPR) is JoMoCo UG (haftungsbeschränkt) i. G. Wiesenblick 5 87466 Oy-Mittelberg Germany Represented by Constantin Gaschler Contact Email: info@jomoco-solutions.com Phone: +49 152 23156880 The complete information regarding the company, the power of representation, and the registry status can be found in the imprint of this website.

2. Scope of Application This Privacy Policy applies to all digital offers, platforms, websites, and services of JoMoCo UG (haftungsbeschränkt) i. G., including the cloud-based software solutions provided. It is addressed to both business customers (B2B) and consumers (B2C), insofar as personal data is processed, regardless of the end device or access method used for usage.

3. Types of Processed Data Depending on the type and use of the platform, the following data may be processed in particular: Master data (name, company, address, email address, phone number) Usage data (login times, access, interactions, system settings) Communication data (emails, chat histories, support requests, forms) CRM data (customer history, contacts, status information) Marketing data (newsletters, campaigns, funnels, tracking information) Social media data (scheduled content, interactions, publications) Automation data (triggers, workflows, follow-ups, processes) Analysis and log data (performance, conversion, system logs)

4. Purposes of Processing The processing of personal data takes place for the following purposes: Provision, operation, and further development of the platform Contract execution and billing Customer care, support, and communication Marketing, sales, and analysis purposes Ensuring IT security and prevention of misuse Fulfillment of legal obligations

5. Legal Bases of Processing The processing is carried out on the basis of the following legal bases: Art. 6 Para. 1 lit. b GDPR (performance of a contract or pre-contractual measures) Art. 6 Para. 1 lit. f GDPR (legitimate interest, in particular operation and security of the platform) Art. 6 Para. 1 lit. a GDPR (consent, e.g., for newsletters or marketing cookies)

6. Storage and Deletion Personal data is stored only as long as necessary for the respective purposes or as long as statutory retention periods exist. After the purpose of processing ceases to apply or after expiration of statutory periods, the data will be deleted. 6a. Cookies, Consent, and Similar Technologies Our website and, if applicable, the platform also use cookies, similar technologies, and local storage functions that are technically necessary to ensure the operation and security of the services offered. Insofar as the use of cookies or comparable technologies is not technically necessary, in particular for analysis, tracking, or marketing purposes, this takes place exclusively on the basis of prior consent pursuant to Art. 6 Para. 1 lit. a GDPR in conjunction with § 25 Para. 1 TTDSG (German Telecommunications-Telemedia Data Protection Act). Consent is obtained via a corresponding consent banner and can be revoked or adjusted at any time with effect for the future via the settings provided there.

7. Transfer of Data and Recipients Personal data is passed on exclusively to those recipients whose involvement is necessary for the fulfillment of contractual or legal obligations. These include in particular technical service providers, hosting providers, communication service providers, as well as providers of automation and integration solutions who act either as processors pursuant to Art. 28 GDPR or as independent controllers. If service providers outside the European Union or the European Economic Area are used, data transfer takes place exclusively in compliance with the legal requirements of Art. 44 et seq. GDPR, in particular on the basis of EU Standard Contractual Clauses or comparable appropriate safeguards. A current overview of the categories of service providers used as well as information on sub-processors can be found in addition in the currently valid Data Processing Agreement.

8. Data Security JoMoCo implements appropriate technical and organizational measures to protect personal data against loss, destruction, unauthorized access, unauthorized disclosure, or misuse. These include in particular access restrictions, encryption of data transmissions, data backups, and organizational security measures. 9. Rights of Data Subjects Data subjects have the following rights in particular: Right to information (access) pursuant to Art. 15 GDPR Right to rectification pursuant to Art. 16 GDPR Right to erasure (deletion) pursuant to Art. 17 GDPR Right to restriction of processing pursuant to Art. 18 GDPR Right to data portability pursuant to Art. 20 GDPR Right to object pursuant to Art. 21 GDPR Inquiries can be directed to info@jomoco-solutions.com at any time.

10. Data Processing (Commissioned Processing) Insofar as JoMoCo UG (haftungsbeschränkt) i. G. processes personal data on behalf of the customer, this takes place within the framework of commissioned processing pursuant to Art. 28 GDPR. In these cases, the customer is the controller within the meaning of the General Data Protection Regulation, while JoMoCo acts as the processor. The processing takes place exclusively on the basis of a separate Data Processing Agreement pursuant to Art. 28 GDPR, which is part of the respective contractual relationship. The currently valid Data Processing Agreement is available on the provider's website and applies in addition to the Terms of Use.

11. Technical and Organizational Measures JoMoCo implements appropriate technical and organizational measures pursuant to Art. 32 GDPR to protect personal data against loss, misuse, unauthorized access, or unauthorized disclosure. These include in particular measures for access control, data backup, encryption of data transmissions, and organizational regulations on data security.

12. Data Transfer to Third Countries A transfer of personal data to countries outside the European Union or the European Economic Area only takes place if appropriate safeguards within the meaning of Art. 44 et seq. GDPR exist, in particular through the conclusion of EU Standard Contractual Clauses or comparable protective measures.

13. Automated Decision-Making and Profiling Automated decision-making or profiling within the meaning of Art. 22 GDPR does not take place.

14. Use of Third-Party Providers To provide and operate the platform, JoMoCo uses technical and organizational service providers, particularly in the areas of hosting, platform operation, automation, communication, monitoring, and security. The selection of these service providers is carried out carefully and in compliance with data protection regulations. All service providers used are contractually obliged to comply with the requirements of the General Data Protection Regulation. A named listing of individual service providers is not provided in this Privacy Policy for reasons of technical and operational flexibility. The sub-processors used as well as information on any third-country transfers result from the currently valid Data Processing Agreement.

15. Right of Revocation and Complaint If processing of personal data is based on consent pursuant to Art. 6 Para. 1 lit. a GDPR, this consent can be revoked at any time with effect for the future. In addition, there is a right to lodge a complaint with a competent data protection supervisory authority. The competent authority is in particular the data protection supervisory authority of the federal state in which the data subject has their habitual residence or place of work.

16. Changes This Privacy Policy may be adjusted due to legal, technical, or organizational changes. The current version is available on the website at any time.