PRIVACY AND PERSONAL DATA PROTECTION POLICY

Investment Intermediary "UG Market" EAD guarantees the confidentiality of non-public

information and personal data provided by all clients, partners, and employees of the company, as

well as all visitors and users of the website www.ugmarket.com. This Policy aims to comply with

the requirements of Regulation (EU) 2016/679 of the European Parliament and the Council of

April 27, 2016, regarding the protection of natural persons concerning the processing of personal

data and on the free movement of such data, and repealing Directive 95/46/EC (General Data

Protection Regulation or "GDPR"), the Personal Data Protection Act, and the Guidelines for

Transparency of the European Working Group under Article 29.

Information about the Personal Data Administrator

Investment Intermediary "UG Market" EAD is the administrator of personal data. As a personal

data administrator, we carry out our activities in compliance with the Personal Data Protection

Act and GDPR, collecting only the necessary personal data in relation to contractual relationships

and/or for the provision of services, processing them responsibly and lawfully.

Contact Details:

Investment Intermediary "UG Market" EAD

•Address: 7a Kolyu Ficheto Street, Floor 1, Plovdiv

•Phone: 032/ 625 401

•Email: office@ugmarket.com

I. Principles Related to the Processing of Personal Data

When processing your personal data, we follow the following principles:

1. Lawfulness, fairness, and transparency – We process your personal data lawfully, fairly,

and transparently.

2. Purpose limitation – The personal data we collect is for specific, explicitly stated, and

legitimate purposes and is not further processed in a manner incompatible with these

purposes.

3. Data minimization – Personal data is appropriate, relevant, and limited to what is

necessary in relation to the purposes for which it is processed.

4. Accuracy – We take measures to promptly delete or correct inaccurate personal data.

5. Storage limitation – We store your personal data for a period no longer than necessary for

the purposes for which the personal data is processed and in accordance with legally

defined deadlines.

6. Integrity and confidentiality – We apply appropriate technical and organizational

measures to process your personal data in a way that ensures an appropriate level of

security, including protection against unauthorized or unlawful processing and accidental

loss, destruction, or damage.

II. What Information About You Will We Collect and Store?

"Personal data" or "personal information" means any information about a natural person by which

that person can be identified.

Information collected concerning the application of the Anti-Money Laundering Act

As a liable entity under the Anti-Money Laundering Measures Act (AMLMA), we are obliged to

identify our clients before entering into contractual relationships with them.

1. Identification of natural persons is carried out through the submission of an official

identification document and the capture of a copy of it. When identifying natural persons,

we collect data on:

oNames;

oDate and place of birth;

oOfficial personal identification number or other unique identification element;

oEvery citizenship you hold;

oCountry of permanent residence and address;

oData on your professional activity.

2. When identifying legal entities and other legal formations, data is collected on the type and

composition of the collective management body, legal representatives, and beneficial

owners of the legal entity or legal formation. Concerning the legal representatives of the

client – legal entity or other legal formation, proxies, and other individuals subject to

identification in relation to the identification of the client – legal entity or other legal

formation, the data listed under point 1 is collected. For every natural person who is the

beneficial owner of a client – legal entity or other legal formation, the data listed under point

1, letters "a" – "d", is collected.

3. In certain cases, we may collect data about your marital status, the origin of your funds,

partnership business relationships, and other data required for the purposes of the

AMLMA, the AML Regulation, the Counter-Terrorism Financing Act, and the sanction

policies of the UN and EU.

Information collected regarding the application of the Financial Instruments Market Act and

other applicable regulatory acts

In certain cases, for example, when you wish us to provide you with investment advice or the

service of managing an individual portfolio, it will be necessary to provide us with information about

your knowledge and experience in the investment field, your investment objectives, including the

permissible level of risk, and your financial situation (sources and size of your regular income, your

assets, regular financial obligations, etc.). This information is needed for us to carry out a suitability

assessment that will allow us to act in your best interest. If you do not provide us with the

information necessary for the suitability assessment, we are not entitled to provide you with

investment advice or the service of managing an individual portfolio.

Information collected concerning the fulfillment of contractual relationships

Regarding our contractual relationships, we will also require the following information from you:

•Tax identification number of the jurisdiction where you are a tax resident;

•Correspondence address;

•Phone number;

•Email address;

•Bank account number (in case you sign a contract with us remotely or need to make a

payment via bank transfer).

Information collected on our corporate website

On our corporate website, the following information may be collected:

•Unique browser identifier;

•History of visited pages, including secondary processing to determine preferences for

certain types of content;

•Search history on the corporate website;

•Data collected from cookies.

When you use our website, the cookies we use help us understand how our services work most

effectively. Cookies are small text files that are sent from the web server to the browser used and

stored on your device so that our site can recognize it. There are two types of cookies – permanent

and temporary or "session" cookies. Permanent cookies are stored as a file on your computer or

mobile device for a longer period. Session cookies are temporarily stored on your computer when

you visit our site but are deleted when the page is closed. Most cookies do not contain sensitive

information or personal data that can directly identify individuals. The main purposes for which

cookies are used include tracking user behavior in the following areas: tracking sections of the site

the user visits; how long the user stays on the site; how long the user watches a video; ads the

user has seen and/or interacted with; when the user visits our corporate website. Some cookies

are important for the functioning of the website and are automatically activated when users visit it.

You can manage the cookies you accept and reject, as well as delete those already stored on your

device, using your browser settings.

If you use our contact form on our corporate website, you agree that your email address and

name will be used only for correspondence with you, after which they will be deleted.

We do not collect or process personal data revealing racial or ethnic origin, political opinions,

religious or philosophical beliefs, or membership in trade unions, genetic and biometric data, health

data, or data about sexual life or sexual orientation.

We do not engage in automated decision-making using data.

Information collected during the use of the electronic trading platform via computer or

mobile device

This information may include:

•IP address;

•Browser and device information;

•Information aggregated in a way that no longer reveals your identity. We may combine

personal data and other information, and if we are required by law, we will treat such

combined information as personal data.

How do we collect this information?

•Via your browser or device: Most browsers automatically collect certain information from

your device, such as your media access control address, type of computer, screen

resolution, name and version of the operating system, device manufacturer and model, and

language or internet browser. We use this information to ensure that the services we

provide to you work correctly.

•Via your IP address: Your IP address (internet protocol) is a unique identifier used by

electronic devices to identify and communicate with each other on the internet. We identify

your IP address and log it in our server logs when you access our websites, along with the

time and pages visited. Collecting IP addresses is standard practice and is done

automatically by many websites, apps, and other services. We use IP addresses for

reasons such as calculating usage levels, diagnosing server issues, and administering

services.

•Using the UG Market Trader electronic order submission system via mobile device,

we collect and store information about the IP addresses from which orders are submitted

for transactions with financial instruments.

•Physical location: We may collect information about the physical location of your device,

for example, via satellite, mobile phone tower, or Wi-Fi signals. In some cases, when

remotely signing a contract, the investment intermediary may require the individual to send

a screenshot from their mobile phone using Google Maps, showing their geographic

location at the time of sending the identification documents to the investment intermediary.

The screenshot must also show the time it was created.

•Video conferencing calls: In some cases, the investment intermediary uses additional

methods to verify the identity of the client or their beneficial owner when remotely signing a

contract for investment and/or additional services.

Video Surveillance

Video surveillance is conducted 24/7 in the premises and the area around the office building of UG

Market EAD.

The purposes of video surveillance are:

•To ensure the protection of property in compliance with the requirements of Ordinance No.

RD-02-20-16 of December 19, 2016, of the Ministry of Regional Development and Public

Works (MRDPW);

•Visual control over client movements to improve the safety and security of employees and

clients;

•Prompt response to illegal actions;

•Situation control in the office building area;

•Improving the quality of services provided.

Video surveillance data is stored and processed in accordance with current data protection

legislation. Video recordings are stored for a period of 30 days, after which they are deleted. Video

recordings are not shared with third parties unless the law requires otherwise. Access to video

surveillance data is limited to certain employees of the company. Appropriate security measures

are taken to prevent unauthorized access to the images.

If you wish, you can request more information about the video surveillance carried out, a copy of

the collected data, or its deletion.

III. When Do We Collect Your Personal Data?

We collect your personal data before entering into a contract with you. This information is provided

either directly by you as our client or legal representative/proxy of our client, or through legal

representatives/proxies of our client-legal entity, if you are the beneficial owner of our client-legal

entity or another person requiring identification under the Anti-Money Laundering Act.

IV. How Will We Use Your Personal Data?

We will use your personal data only when permitted by law. Most commonly, we will use your

personal data in the following cases:

•To fulfill our contract with you;

•To comply with a legal obligation;

•When necessary for our legitimate interests (or those of third parties), and when your

interests and fundamental rights do not override these interests.

Additionally, we may use your personal data in the situations listed below, though we expect them

to occur rarely:

•To protect your interests (or the interests of another person);

•When processing is of public interest.

Situations in Which We Will Use Your Personal Data

We will primarily use the categories of personal data listed in Part II (see above) to fulfill our

contractual obligations to you and comply with our legal obligations. In some cases, we may use

your personal data for our legitimate interests or those of third parties, but only if your interests or

fundamental rights do not override those interests.

What Happens If You Do Not Provide the Personal Data We Require?

Providing personal data is entirely voluntary. Some of the personal data we collect is required by

applicable law, and failure to provide it may prevent us from entering into a contract with you or

providing you with a service.

Change of Purposes

We will use your personal data only for the purposes for which we have collected it unless we

reasonably determine that we need to use it for another reason, and that reason is compatible with

the original purpose. If we need to use your personal data for another purpose, we will notify you

and explain the legal basis for such use.

V. To Whom Will Your Personal Data Be Disclosed or Shared?

We do not authorize, sell, disclose, or share your personal data with other individuals or unrelated

companies unless necessary to provide our services, and unless you have given us permission, or

in one of the following cases:

•The information is provided to trusted partners and contractors based on contractual

relationships and under confidentiality agreements. These persons and companies may

have access to your personal data. However, they do not have the right to share this

information independently. Such contractors may include, but are not limited to: auditors,

hosting service providers, financial, legal, and IT consultants, servicing banks, depositories,

licensed investment intermediaries, payment systems and institutions, transaction registers,

etc.

•Information is provided under applicable law to Central Depository AD, Bulgarian

Stock Exchange AD, Financial Supervision Commission, and National Revenue

Agency, among others.

•We may provide information in compliance with court orders and legitimate requests

from authorized bodies (under the Electronic Communications Act, Criminal Procedure

Code, Criminal Code, etc.), including regulators, courts, bailiffs, National Security

Agency (DANS), National Revenue Agency (NRA), Commission for Personal Data

Protection (CPDP), notaries, receivers, liquidators, and other data processors. In such

cases, we ensure that data processing is carried out in accordance with regulatory

requirements, our instructions, and with appropriate data security measures in place.

•

We reserve the right to share personal data in the event of corporate reorganizations,

assignments, business transfers, and liquidation or insolvency procedures, among other scenarios.

If you do not want us to send information to certain of our contractors or partners, you can

withdraw your consent in writing.

How Do We Ensure the Security of Your Information When Sharing It with Third Parties?

We will share your personal data with third parties only when required by law, when necessary for

administering the contractual relationship, or when we have another legitimate interest. We require

all third parties to respect the security of the data and to comply with data protection laws. All third

parties are required to take appropriate security measures to protect your personal information.

They cannot use your personal data for their own purposes and may only process it for specified

purposes.

VI. Data Security

We have implemented appropriate measures to prevent accidental loss, unauthorized use or

access, alteration, or disclosure of your personal data. In addition, we limit access to your personal

data to those employees and third parties who need it for their work. They will process personal

data only according to our instructions and are subject to confidentiality obligations.

VII. How Long Will We Process Your Personal Data?

We will store your personal data only for the period necessary to fulfill the purposes for which we

collected it, including to comply with legal requirements. Data storage continues as long as we

have a legal basis for storing it. After this period expires, we will take the necessary steps to delete

or destroy all personal data without unnecessary delay.

The following periods apply to the storage of different types of personal data, depending on

their purpose:

1. Documents, data, and information related to contracts with clients and/or acceptance

of orders for transactions (including recordings of phone and video conference calls, if

conducted for remote identification, as well as electronic messages sent and received

letters) – 5 years.

In exceptional circumstances, the Financial Supervision Commission or another state

body may require us to store information for a longer period. We will notify you if it becomes

necessary to store personal data for a longer period.

2. Invoices and payment orders – 10 years from issuance.

3. For purposes of measuring user behavior on the corporate website, data will be

stored according to the validity period of the respective cookie.

4. Traffic data – Stored under the Electronic Communications Act for a period of 6

months. These data are transmitted to specialized authorities and institutions only in

compliance with legal provisions and with proper justification.

5. Video surveillance recordings – 30 days.

6. Phone conversations leading to or that may lead to transactions – 5 years.

In some situations, we may anonymize your personal data so that it can no longer be linked to you.

As a result, we may continue to use anonymized data without notifying you. After the termination of

your contractual relationship with us, we will retain your information in accordance with our policies

and legal requirements, and will securely destroy it once the storage period described in our

policies and required by law has expired.

VIII. Your Rights Regarding Your Personal Data

1. Right to access information: This right allows you to obtain a copy of the personal data

we hold about you and to check that we have a legal basis for processing it.

2. Right to rectification: This right allows you to ask us to correct any incomplete or

inaccurate information about you.

3. Right to erasure: This right allows you to ask us to delete or remove your personal data

when there is no valid reason for us to continue processing it. You also have the right to ask

for your data to be erased or removed when you have exercised your right to object to its

processing.

4. Right to object to processing: In cases where we rely on legitimate interests as the basis

for processing, you can object to this processing.

5. Right to restrict processing: This right allows you to ask us to stop processing your

personal data if, for example, you want us to establish the accuracy of the data or the

reasons for its processing.

6. Right to data portability: This right allows you to ask us to provide your data to a third

party.

If you wish to exercise any of your rights, you should submit a written request to us at the address

7a Kolyu Ficheto St., Floor 1, Plovdiv. When making such a request, you will need to provide

information confirming your identity. This requirement is part of our data protection measures to

ensure that personal information is not provided to someone who has no right to receive it.

Your Obligation to Notify Us of Changes in Your Personal Data

It is important that we keep your personal information accurate and up to date. Please inform us of

any changes to your personal data.

IX. Right to Withdraw Your Consent

In some of the limited cases where you have given consent for the collection, processing, and

transfer of your personal data for a specific purpose, you have the right to withdraw this consent.

Once we receive your request, we will stop processing the data for the purposes for which you

originally agreed, unless we have another legal basis for continuing the processing, which we will

notify you about.

X. Right to File a Complaint with a Supervisory Authority

If you believe your personal data rights have been violated, you may file a complaint with the

Commission for Personal Data Protection.

Contact Details for the Commission for Personal Data Protection:

•Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592

•Phone: +359 2 915 3 519

•Email: kzld@government.bg, kzld@cpdp.bg