GDPR Compliance | NOTSOWMS

1. Our Commitment

NOTSOWMS is fully compliant with Regulation (EU) 2016/679 (GDPR). As a WMS service provider processing warehouse data, orders, and delivery information, we understand the importance of data protection. We act both as a Data Controller (for our direct clients' data) and as a Data Processor (for end-customer data processed through the platform).

2. Data Processing Activities

Within WMS operations, we process: - Inventory data: products, SKUs, stock levels, warehouse locations - Order data: order details, delivery addresses, end-customer contact information - Shipping data: AWBs, tracking, COD reconciliation - Invoicing data: invoices, e-Factura ANAF data, e-Transport declarations - Access data: authentication logs, audit trail, user actions All data is processed on servers located within the European Union.

3. Data Subject Rights

We guarantee the exercise of all rights provided by GDPR: - Right of access (Art. 15) — response within 30 days maximum - Right to rectification (Art. 16) — immediate correction in the platform - Right to erasure (Art. 17) — except for data retained by legal obligation (invoices: 10 years) - Right to restriction of processing (Art. 18) - Right to data portability (Art. 20) — JSON/CSV export available - Right to object (Art. 21) To exercise your rights, contact us at [email protected].

4. Data Protection Contact

For any questions regarding personal data protection, you can contact us at: Email: [email protected] Phone: +40 743 548 754 Address: Timișoara, Romania

5. Sub-processors

We use the following sub-processors, all GDPR compliant: - Courier services (FAN Courier, Sameday, Cargus, DPD, GLS) — for parcel delivery - SmartBill / Oblio — for electronic invoice issuance - ANAF — for e-Factura and e-Transport submission (legal obligation) - Stripe — for payment processing (PCI DSS Level 1 certified) - EU cloud provider — for hosting and backup We have data processing agreements (DPA) with all sub-processors. Clients are notified before adding a new sub-processor.

6. Security Incident Notification

In accordance with Art. 33 and 34 GDPR: - We notify ANSPDCP within 72 hours of becoming aware of a security incident affecting personal data - We notify affected Clients without undue delay - We maintain a security incident register - We have documented incident response procedures

7. Data Protection Impact Assessment (DPIA)

We have conducted DPIAs for: - Large-scale processing of order and delivery data - Integration with external services (couriers, ANAF, invoicing platforms) - Audit trail system and user action monitoring DPIAs are reviewed annually or upon significant changes to processing activities.

8. International Data Transfers

All data is stored and processed within the European Union. We do not transfer personal data outside the EEA. In cases where a Client uses integrations with international services (Amazon, eBay, Etsy, DHL, UPS, FedEx), necessary data is transferred based on Standard Contractual Clauses (SCC) approved by the European Commission.

9. Contact and Complaints

For any GDPR-related questions or complaints: Email: [email protected] Phone: +40 743 548 754 Address: Timișoara, Romania Competent supervisory authority: ANSPDCP — National Supervisory Authority for Personal Data Processing Website: www.dataprotection.ro