DATA PRIVACY POLICY

of www.tommatech.de

V2302.01

Introduction

1. We thank you for your visit to our website www.tommatech.de and your interest in our company and our offers. Despite careful control of the contents, we do not assume any liability for external links to third-party contents, as we have not initiated the transfer of this information, did not select the addressee of the transmitted information and the transmitted information ourselves or have amended any such information ourselves.

2. The protection of your personal data in connection with the collection, processing of use on the occasion of your visit to our Internet pages is an important concern for us. The collection, processing and use of your personal data takes place within the scope of the statutory provisions on which you may for instance obtain information on the website www.bfdi.bund.de.

3. In the following, we explain which information we record on the occasion of your visit to our websites and how this information is used:

Definition of GDPR

4. The European Union General Data Protection Regulation (GDPR) is a regulation in European Union law on data protection and privacy of natural persons in the European Union and the European Economic Area.

Collection and storage of personal data as well as type and purpose of their use

5. Whenever a customer (or any other visitor) visits our website, the Internet browser used on your device (computer, laptop, tablet, smartphone, etc.) automatically sends information to the server of our website. This information is temporarily stored in a so-called log file.

6. The following data is in this connection collected and stored, without any action on your part, until the time of automatic deletion:

a. IP-address of the accessing computer as well as device-ID or individual device identifier and type of device,

b. the name of the retrieved file and the transmitted data volume, as well as date and time of the retrieval,

c. report on successful retrieval,

d. accessing domain,

e. description of the type of Internet browser used and of the operating system of your device as well as the name of your access provider, as the case may be,

f. your browser history data as well as your default web log information,

g. location data, including location data of your mobile device. Please note that you are able to control or deactivate the use of location services on most mobile devices in the setup menu of the mobile device.

7. Our justified interest in accordance with Art. 6 para. 1 cl. 1 lit. f GDPR is based on the following purposes:

a. ensuring the smooth establishment of a connection and comfortable use of the website,

b. analysis of system security and system stability, and

c. other administrative purposes.

8. In no event will we use the collected data for the purpose of drawing any conclusions as to your person. The above data will be deleted after you leave the website.

9. Should you have questions of any kind, we offer you the possibility to contact us via a Contact Form provided on our website. In this connection, the specification of a valid email address, first name, surname, your domicile and your telephone number is at least required, so that we know, who sent the enquiry and are able to answer it. Further information may be provided on a voluntary basis.

10. The data processing for the purpose of establishing contact with us takes place in accordance with Art. 6 para. 1 cl. 1 lit. a GDPR on the basis of your voluntarily granted consent.

11. The personal data collected by us for the use of the Contact Form will be automatically erased after the inquiry you have sent us has been answered.

12. For the protection of your inquiries by Internet form we use Securimage with is an open source PHP CAPTCHA script (https://www.phpcaptcha.org/). The inquiry serves the differentiation whether the input takes place by humans or abusively by automated, mechanical processing.

Disclosure of personal data

13. Your data will not be transferred to third parties for purposes other than those listed below.

14. We only pass on your data to third parties if:

a. you have given your express consent to do so in accordance with (Art. 6 para. 1 cl. 1 lit. a GDPR),

b. this is necessary for the processing of contractual relationships with you (Art. 6 para. 1 cl. 1 lit. b GDPR),

c. there is a legal obligation to disclose (Art. 6 para. 1 cl. 1 lit. c GDPR),

d. the disclosure is necessary for the assertion, exercise or defense of legal claims and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data (Art. 6 para. 1 cl. 1 lit. f GDPR).

15. We pass on your data to third parties only within the scope of Art. 49 GDPR.

16. In these cases, however, the scope of the transmitted data is limited to the necessary minimum.

17. Our data protection regulations are in accordance with the applicable data protection regulations and the data is only processed in the Federal Republic of Germany and Republic of Türkiye. However, we also work together with third parties who can process the data outside the EU. All third-party providers with whom we work are listed in our data protection declaration.

Rights of data subjects

18. On request, we will be pleased to inform you whether and which personal data relating to your person are stored (Art. 15 GDPR), in particular about the purposes of processing, the category of personal data, the categories of recipients to whom your data have been or will be disclosed, the planned storage period, the existence of a right of rectification, deletion, restriction of

processing or opposition, the existence of a right of appeal, the origin of your data if they have not been collected by us, and the existence of automated decision making including profiling.

19. You also have the right to have any incorrectly collected personal data corrected or incompletely collected data completed (Art. 16 GDPR).

20. Furthermore, you have the right to demand that we restrict the processing of your data, provided that the legal requirements for this are met (Art. 18 GDPR).

21. You have the right to receive the personal data concerning you in a structured, common and machine-readable format or to request that it be transferred to another responsible party (Art. 20 GDPR).

22. In addition, you have the so-called "right to be forgotten", i.e. you can demand that we delete your personal data, provided that the legal requirements are met (Art. 17 GDPR).

23. Irrespective of this, your personal data will be automatically deleted by us if the purpose for which the data was collected ceases to apply or if the data processing is unlawful.

24. According to Art. 7 para. 3 GDPR, you have the right to revoke your consent to us at any time. As a result, we may no longer continue the data processing based on this consent in the future.

25. You also have the right to object to the processing of your personal data at any time, provided that a right of objection is provided for by law. In the event of an effective revocation, your personal data will also be automatically deleted by us (Art. 21 GDPR).

26. If you wish to exercise your right of revocation or objection, simply send an e-mail to head@tommatech.de.

In the event of infringements of the data protection regulations, you have the opportunity to lodge a complaint with the responsible supervisory authority in accordance with Art. 77 GDPR. The competent supervisory authority is both the Bavarian State Commissioner for Data Protection () https://www.datenschutz-bayern.de/vorstell/petri.html.de and any other supervisory authority.

Duration of data storage

27. The data collected will be stored by us for as long as is necessary to execute the contracts entered into with us or if you have not exercised your right to deletion or your right to transfer data to another company.

Cookies

28. We use cookies on our website. These are small text files that are automatically created by your browser and stored on your device when you visit our website. The cookie contains information that is related to the specific device used. This does not mean, however, that we immediately obtain knowledge of your identity.

29. These cookies are set as so-called first-party cookies ("own cookies") or third-party cookies ("third-party cookies"). First-party cookies are set by the website you are currently visiting and are not made available by browsers across domains. A third party cookie, on the other hand, is set by a third party, i.e. not by the actual website you are currently on.

30. Furthermore, cookies are divided into technically necessary and technically unnecessary cookies. On our website, both technically necessary cookies and technically unnecessary cookies are set in accordance with the following paragraphs.

a. Technically necessary cookies are absolutely necessary for the operation of our website and lead, for example, to certain functions being made possible for you in the first place. These technically necessary cookies, which are only required and set for the individual necessary online session, are automatically deleted after leaving our website.

b. The legal basis for the use of these technically necessary cookies is Art. 6 para. 1 cl. 1 lit. f GDPR.

31. If you have given your consent, we use so-called technically not necessary cookies on our website. The technically not necessary cookies are mainly used to evaluate the use of the website as well as user behaviour, to compile reports on the activities of visitors to the website and to provide further services associated with the use of the website.

32. The cookies we use, which are not technically necessary, are explained in our cookie banner with regard to their function, duration and possible third-party recipients of the data. If certain third party providers we use set cookies as part of the service provided for us, this will also be indicated separately in our privacy policy.

33. The legal basis for the use of cookies that are not technically necessary is Art. 6 para. 1 cl. 1 lit. a GDPR, provided you have given your consent.

34. You can revoke your consent at any time. Furthermore, you have the possibility to configure the setting of cookies at any time. For example, you can set your browser to inform you in advance about the setting of cookies or to refuse cookies completely.

Online marketing/analysis measures

35. By statistical recording through online marketing measures, we want to design our website to meet the needs of you, our user, and continually adapt and optimize its use.

36. The use of the online marketing and tracking measures we use is based on your consent in accordance with Art. 6 para. 1 cl. 1 lit. a GDPR.

37. If your data is transferred to the USA, this is done on the basis of your consent in accordance with Art. 49 para. 1 cl. 1 lit. a GDPR. In addition, the service providers concerned have committed to us under a standard contractual clause that a level of data protection equivalent to that in the EU is guaranteed in third countries outside the EU to which data is exported.

38. We use various tools from Google on our website.

a. If you have given your consent, this website uses Google Analytics, a web analysis service provided by Google Ireland Limited "Google". The use includes the operating mode "Universal Analytics"; this makes it possible to assign data, sessions and interactions across multiple devices to a pseudonymous user ID and thus to analyse the activities of a user across devices.

b. Google Analytics uses so-called "cookies"; text files which are stored on your computer and which enable an analysis of your use of the website. The information generated by the cookie about your use of this website is usually transferred to a Google server in the USA and stored there. However, in the event that IP anonymisation is activated on this website, your IP address will be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. We would like to point out that Google Analytics has been extended to include IP anonymisation on this website in order to ensure anonymous recording of IP addresses (so-called IP masking). The IP address transmitted by your browser within the scope of Google Analytics is not merged with other Google data. Further information on terms of use and data protection can be found at ( https://www.google.com/analytics/terms/de.html or https://policies.google.com/?hl=de).

c. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activities and to provide further services to the website operator in connection with website and internet use.

d. The data sent by us and linked to cookies, user IDs (e.g. user ID) or advertising IDs are automatically deleted after 14 months. Data whose retention period has been reached is automatically deleted once a month.

e. You can revoke your consent at any time with effect for the future by preventing the storage of cookies through a corresponding setting in your browser software; however, we would like to point out that in this case you may not be able to use all functions of this website to their full extent.

f. You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by downloading and installing the Browser-Add-on. Opt-out cookies prevent future collection of your information when you visit this website. To prevent Universal Analytics from collecting data across multiple devices, you must opt-out on all systems in use. Click here (https://tools.google.com/dlpage/gaoptout?hl=de) to set the opt-out cookie to disable Google Analytics.

g. This website uses so-called web fonts, which are provided by Google Inc. for the uniform display of fonts. When you visit our website, your browser loads the required Google web fonts and fonticons into your browser cache in order to display texts and fonts correctly.

h. For this purpose, the browser you use must connect to the servers of Google and Fonticons. Through this, Google and Fonticons are informed that our website has been accessed via your IP address. The use of these web fonts is in the interest of a uniform and attractive presentation of our online offers. This represents a legitimate interest within the meaning of Art. 6 para. 1 cl. 1 lit. f GDPR.

i. If your browser does not support the display of web fonts, a standard font is used by your computer.

j. For more information about Google's web fonts, please visit https://developers.google.com/fonts/faq and Google's privacy policy: https://www.google.com/policies/privacy/.

k. This website uses the Doubleclick service from Google. Google uses cookies to display ads that are relevant to you. For this purpose, a pseudonymous identification number (ID) is assigned to your browser in order to check which of the ads displayed in your browser were called up. Based on the user behaviour recorded in this way, Google will display relevant advertisements for you. Further information on Google Doubleclick can be found at https://www.google.de/doubleclick and https://www.google.de/intl/de/policies/privacy.

39. We use various tools from Yandex on our website.

a. If you have given your consent, this website uses Yandex.Metrica (Yandex), a web analytics and click tracking service provided by Yandex, located at 119021 Moscow, L. Tolstoy Street, 16, Russia. Cookies are placed on your terminal device to enable Yandex to analyse your use of the website. You can find more information on data protection and the processing of data by Yandex at https://yandex.com/legal/confidential/?lang=en. This is done on the basis of your consent pursuant to Art. . 6 para. 1 cl. 1 lit. a GDPR.

b. Insofar as your data is transferred to Russia, this is done on the basis of your consent pursuant to Art. 49 para. 1 cl. 1 lit. a GDPR. In addition, Yandex has committed to us under a standard contractual clause that a level of data protection equivalent to that of the EU is guaranteed in third countries outside the EU to which data is exported.

unpkg

40. We use the Content Delivery Network (CDN) unpkg on this website. This is a service provided

by Npm, Inc, 1999 Harrison Street #1150, CA 94612 Oakland, United States. By means of the CDN, the content of our website is delivered more quickly via several connected servers. Your browser must contact the servers of unpkg for this purpose. In doing so, your IP address is processed. This is done on the basis of your consent pursuant to Art. 6 para. 1 cl. 1 lit. a GDPR.

41. If your data is transferred to the USA, this is done on the basis of your consent pursuant to Art. 49 para. 1 cl. 1 lit. a GDPR. In addition, the service providers in question have committed to us under a standard contractual clause that a level of data protection equivalent to that in the EU is guaranteed in third countries outside the EU to which data is exported.

42. Further information on the processing of your data can be found here: https://docs.npmjs.com/policies/privacy.

jsdelivr

43. We use the Content Delivery Network (CDN) jsdelivr on this website. This is a service provided by GitHub Inc, 88 Colin P Kelly Jr St, San Francisco, CA 94107, United States. By means of the CDN, the content of our website is delivered more quickly via several connected servers. For this purpose, your browser must contact the servers of jsdelivr. In doing so, your IP address is processed. This is done on the basis of your consent pursuant to Art. 6 para. 1 cl. 1 lit. a GDPR.

44. If your data is transferred to the USA, this is done on the basis of your consent pursuant to Art. 49 para. 1 cl. 1 lit. a GDPR. In addition, the service providers in question have committed to us under a standard contractual clause that a level of data protection equivalent to that in the EU is guaranteed in third countries outside the EU to which data is exported.

45. Further information on the processing of your data can be found here: https://docs.github.com/en/site-policy/privacy-policies/github-privacy-statement.

Services of Google Maps

46. The use of Google Maps is based on your consent in accordance with Art. 6 para. 1 cl. 1 lit. a GDPR.

47. Insofar as you have given your consent, we use various services of Google LLC ( https://www.google.de/intl/de/about/) (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; hereinafter "Google") to display routes and location information on our website.

48. In detail, these are Google Maps, Google Maps Directions, - Distance, - Geocoding and -Geolocation. These services provided by Google are each integrated into our website via so-called API interfaces.

49. We, as the provider of our website, have no knowledge of whether and, if so, which data is transferred to Google when using the Google Maps services.

50. The terms and conditions of Google apply to the use of these services, which you can view here: https://www.google.com/intl/de_de/help/terms_maps/ and https://policies.google.com/privacy?fg=1.

51. The recipient of the collected data is Google. If your data is transferred to the USA, this is done on the basis of your consent in accordance with Art. 49 para. 1 cl. 1 lit. a GDPR. In addition, Google has committed to us under a standard contractual clause that a level of data protection equivalent to that of the EU is guaranteed in third countries outside the EU to which data is exported.

Social Media

52. We do not use social media plugins from the social networks Facebook and Instagram on our

website, because these social media plugins usually result in every visitor to the website being immediately recorded by these services with their IP address. This means that all further activities on the internet are logged; even if you do not click on one of the buttons at all.

53. To prevent this, we use the so-called Shariff solution, which ensures that initially no personal data is passed on to the providers of the individual social media plugins when you visit our website. Only when you click on one of the social media graphics can data be transmitted to the respective service provider and stored there. With the Shariff solution, the buttons of the individual providers are only integrated as graphics that contain a link to the individual social media services. A connection to the social media services is only established when you click on the respective button. After clicking on the button and being redirected to the website of the social network, the duty to provide information no longer lies with us, but with the operator of the social network. Information on the collection and use of your data in the social networks can be found in the respective terms of use of the corresponding provider.

54. We would like to point out that data of our website visitors may also be processed outside the European Union. This may result in risks for users because, for example, it could make it more difficult to enforce users' rights.

55. Furthermore, it is possible that user data may be processed for market research and advertising purposes by the third-party providers. For example, usage profiles can be created from the usage behaviour and resulting interests of the users. The usage profiles can in turn be used, for example, to place advertisements within and outside the social networks that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on the users' computers, in which the usage behaviour and the interests of the users are stored. Furthermore, data may also be stored in the usage profiles regardless of the devices used by the users (especially if the users are members of the respective social network and are logged in to them).

56. For a detailed presentation of the respective processing, we refer to the information of the respective providers linked below. In the event of requests for information or the assertion of your rights as a data subject, we would also like to point out that these can be asserted most effectively with the social networks. Only they have access to the data of their users and can directly take appropriate measures and provide information. If you still need help, you can contact us.

57. By way of the Shariff solution, we use links to the social networks listed below on our website:

a. Facebook (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland), privacy policy: https://www.facebook.com/about/privacy/ ,Opt-Out: https://www.facebook.com/settings?tab=ads and http://www.youronlinechoices.com,

b. Google/ YouTube (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA), privacy policy: https://policies.google.com/privacy, Opt-Out: https://adssettings.google.com/authenticated,

c. Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA), privacy policy: https://twitter.com/de/privacy, Opt-Out: https://twitter.com/personalization,

d. LinkedIin (LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA) privacy policy: https://www.linkedin.com/legal/privacy-policy

Data security

58. We make every effort to take all necessary technical and organizational security measures to store your personal data in such a way that they are not accessible to third parties or the public. Should you wish to contact us by e-mail, we would like to point out that the confidentiality of the information transmitted cannot be completely guaranteed with this method of

communication. We therefore recommend sending us confidential information exclusively by post.

Topicality and amendment of this data protection declaration

59. This data protection declaration is currently valid and is dated 01.01.2023

60. It may become necessary to amend this data protection declaration as a result of the further development of our website and offers above or due to changes in legal or official requirements. You can access and print out the current data protection declaration at any time on the website at https://tommatech.de/en/corporate/privacy-policy.