Protecting personal data and handling the information that you entrust to us responsibly are important concerns for us.

In this Privacy Policy we, Clyde Mobility Ltd, as the operator of the platform Clyde, explain how we collect and otherwise process personal data in connection with Clyde. Personal data is understood to include all information that relates to an identified or identifiable person.

If you provide us with personal data about other persons (e.g. family members), kindly ensure that these persons are aware of this Privacy Policy and only disclose their personal data to us if you are permitted to do so, if the data subjects have given their consent and if this personal data is correct.

The controller for the data processing that we describe herein is Clyde Mobility Ltd (Datenschutz – Alte Steinhauserstrasse 12, CH-6330 Cham), unless stated otherwise in individual cases. If you have any data protection concerns, you can let us know by contacting us at the above contact address. Where possible, please specify what data you are referring to and enclose a copy of your identity card/document in the case of concerns regarding information held or deletion. You can also raise any concerns by emailing them to us at: [email protected]

Our representative in the EEA in accordance with Art. 27 of the GDPR is: AMAG (Vaduz) AG, Austrasse 37, CH-9490 Vaduz.

We primarily process personal data that we receive from our customers as part of our business relationship with them, that we collect from users when operating our website, app and other applications, or that we collect through tracking in line with contractual use (see clause 10 below). Such data includes, in particular, personal information (such as first name and last name, gender, date of birth), addresses (such as postal address, email address, IP address, MAC address), additional contact details (such as phone number), identification document details and copies (in particular passport, ID card and driving licence details), image data, credit score data, location data and data on use and condition of the vehicle.

To the extent allowed, we also gather certain data from publicly accessible sources (e.g. debt collection registers, land registers, commercial registers, the press, the internet) or receive such data from other companies within the AMAG Group, from public authorities and other third parties (such as credit bureaus, mailing list brokers). In addition to the data that you provide us directly, the categories of personal data that we receive about you from third parties include information from public registers, information that we learn about you in connection with official and court proceedings, information about you in correspondence and discussions with third parties, credit score information (insofar as we conduct business with you personally), information about you given to us by persons in your personal environment (family members, consultants, legal representatives, etc.) so that we may conclude or execute contracts with you or with your involvement (e.g. references, your address for deliveries, powers of attorney), information regarding compliance with legal requirements such as those relating to the combat of money laundering and export restrictions, information from banks, insurance companies, our sales and other contracting partners so that you can claim or render services (e.g. payments and S. 4 Privacy Policy Clyde. Version dated 01. January 2023 purchases made), information from the media and the internet relating to you (insofar as this is appropriate in the specific case, e.g. as part of a job application, press review, marketing/sales, etc.), your addresses and, if applicable, interests and other sociodemographic data (for marketing purposes), data in connection with the use of websites (e.g. IP address, MAC address of the smartphone or computer, details of your device and settings, cookies, date and time of the visit, pages accessed and their contents, functions used, referring website, location details).

If you work for a customer or business partner of ours, your data may also be affected in this capacity.

We use the personal data we collect primarily to conclude and execute our contracts with our customers and business partners, to provide, maintain, protect and improve our services, and to comply with our legal obligations in Switzerland and abroad.

In addition, we process personal data from you and other persons, to the extent that this is permitted and seems appropriate to us, for the following purposes in which we (and sometimes third parties) have a legitimate interest that corresponds to the purpose:

• Offering and developing our products, services and websites, apps and additional platforms on which we are presentChecking the credit score and rating of potential and current customers

• Communicating with third parties and processing their enquiries (e.g. via contact forms, media enquiries)

• Reviewing and optimising procedures to conduct needs analyses for the purpose of approaching customers directly as well as collecting personal data from publicly accessible sources for the purpose of customer acquisition

• Advertising and marketing (including holding events) provided that you have not objected to the use of your data (if we send advertising to you as an existing customer, you may object to receiving such advertising at any time, in which case, we would place you on the list of customers to whom advertising should not be sent)

• Market and opinion research, media monitoring

• Asserting legal claims and defences in connection with legal disputes and official proceedings

• Preventing and clarifying criminal acts and other misconduct (e.g. conducting internal investigations, data analyses for the prevention of fraud, managing whitelists and blacklists for the purposes of risk optimisation and exchanging such lists with third parties)

• Assuring our operations, in particular IT, our websites, apps and other platforms

• Purchasing and selling business areas, companies or parts of companies and other corporate law transactions and the transfer of personal data related to this, business management measures and compliance with statutory and regulatory obligations as well as internal rules of AMAG.

• Processing alleged traffic rule violations and other violations of the law, in particular forwarding personal data of customers and other users to the competent authorities and private claimants.

If you have given us consent to process your personal data for specific purposes (e.g. when you signed up to receive newsletters or for conducting a background check), we process your personal data within the scope of, and based on, this consent if we do not have any other legal basis and/or S. 5 Privacy Policy Clyde. Version dated 01. January 2023 we require such a basis. Any given consent may be withdrawn at any time, although this will not have any effect on data processing that has already been completed.

We typically use cookies and similar technologies on our websites and our apps, which allow your browser or your device to be identified. A cookie is a small file that is sent to your computer or automatically saved to your computer or mobile device by the web browser you use when you visit our website or install our app. When you visit our website or use our app again, this allows us to recognise you, even if we do not know who you are. In addition to cookies that are only used during a session and are deleted after your website visit (session cookies), cookies may also be used to store user settings and other information for a certain period of time (two years). These are known as permanent cookies. You may also set your browser so that it refuses cookies, stores them only for a session, or otherwise deletes them prematurely. Most browsers are set to accept cookies by default. We use permanent cookies to enable you to save user preferences (e.g. language, auto login), to better understand how you use our offers and content, and so that we can show you offers and advertising tailored to you. Such functions can also be used by our contracting partners, who in this context can see which users are visiting both our website and their own website. However, under no circumstances do they learn from us who you are, if we even know that ourselves. Certain cookies are set by us and some are also placed by contractual partners with whom we collaborate. If you block cookies, certain functionalities (such as choice of language, shopping basket, order processes) may no longer function.

In our newsletter and other marketing emails, we incorporate partly, and to the extent permitted, visible and invisible visual elements which, when retrieved from our servers, allow us to determine if and when you opened the email so that we are able to gauge and better understand how you use our offers so we can tailor them to you. You may block this in your email program; most programs are set to do this by default.

By using our websites, apps and consenting to receiving newsletters and other marketing emails, you agree to the use of these technologies. If you do not want this, you must set your browser and your email program accordingly, or uninstall the app if this cannot be modified in settings, or unsubscribe from the newsletter.

On our websites, we sometimes use Google Analytics or comparable services such as Hotjar. These are services provided by third parties who may be located in other countries (in the case of Google Analytics, it is Google LLC in the USA, www.google.com). Using the services of these third parties, we are able to measure and evaluate the use of the website (this information is non-personalised). Permanent cookies set by these service providers are also used for this purpose. These service providers do not receive any personal data from us (and also do not store any IP addresses) but are able to follow your use of the website, and to combine this information with data from other websites that you visited and that are also followed by these service providers, and to use this knowledge for their own purposes (e.g. managing advertising). If you have registered with these service providers yourself, they will know you too. The processing of your personal data by these service providers is then carried out under their own responsibility in accordance with their privacy policy provisions. The service providers only tell us how our respective website is used and do not provide any information about you personally.

We furthermore use plug-ins from social networks such as Facebook, Twitter, YouTube, LinkedIn or Instagram on our websites. This will be visible to you (typically in the form of the respective symbols). We have configured these elements in such a way that they are deactivated by S. 6 Privacy Policy Clyde. Version dated 01. January 2023 default. If you activate them (by clicking on them), the operators of the respective social networks are able to register that you are on our website (in particular also where you are within our website), and may use this information for their purposes. The processing of your personal data is then carried out under the responsibility of this operator in accordance with its privacy policy provisions. We do not receive any information about you from the operator.

We also disclose personal data to third parties within the scope of our business activities where this is permitted for the purpose set out in section 4 and where it seems appropriate to us; either because they are processing the data on our behalf or because they wish to use the data for their own purposes. This involves, in particular, the following parties:

• Our service providers (within the AMAG Group and externally, such as e.g. banks and insurance companies), including parties processing orders (such as e.g. IT providers and accounting service providers).

• Dealers, service partners, suppliers, subcontractors and other business partners.

• Authorities, official agencies or courts in Switzerland and abroad.

• Purchasers of, or parties interested in, purchasing business areas, companies or other parts of the AMAG Group.

• Other parties in potential or actual legal proceedings; all collectively referred to as recipients.

Where necessary for the provision of our services and taking into account the specific purpose, personal data is transmitted to the parties referred to above in Switzerland and the EU as well as to other countries. You must, in particular, expect that your data will be transferred to all countries in which the AMAG Group is represented by Group companies, branches or other offices (this is Switzerland and Liechtenstein), as well as to other European countries and the USA, where some service providers used by us are located. If we transfer data to a country that does not have adequate statutory data protection, we will provide an adequate level of protection, as prescribed by law, through use of the appropriate contracts/measures or the EU Binding Corporate Rules, or will base our actions on the statutory legal exceptions of consent, contract execution, the establishment, exercise or enforcement of legal claims, overriding public interests, published personal data, or because it is required to protect the integrity of the data subjects. However, we reserve the right to redact copies for data protection reasons or on grounds of confidentiality, or to provide extracts only.

We process and store your personal data for as long as it is required to meet our contractual and statutory obligations or as long as it is required for the purposes pursued by the processing, i.e. for the entire duration of the business relationship (from the initiation and processing of a contract to its termination as well as a subsequent service phase), and apart from that, in accordance with the statutory obligations regarding retention and documentation. It is possible that personal data will be retained for the period during which claims may be asserted against us, or if we are otherwise obliged by law to retain such personal data, or legitimate business interests require that the personal data be retained (e.g. for evidentiary and documentation purposes). In principle, as soon as your personal data is no longer required for the purposes indicated above, it will be deleted to the extent possible or rendered anonymous. Shorter retention periods of 12 months or less sometimes apply for operating data (e.g. system protocols, logs).

To protect your personal data against unauthorised access and misuse, we take appropriate technical and organisational safety precautions such as issuing directives, providing training, IT and network security solutions, access monitoring and restrictions, pseudonymisation and controls.

In the course of our business relationship, you must provide us with the personal data required to enter into and conduct a business relationship, and to perform the related contractual obligations (as a rule, you do not have a statutory obligation to provide us with data). Without this data, we will generally not be in a position to conclude a contract with you (or with the body or person you represent) or to execute it. In addition, our websites can only be used if certain information ensuring the free flow of data (e.g. IP address) is disclosed.

Our processing of your data is partially automated with the aim of assessing certain personal aspects and allowing us to track the use and condition of our vehicles (profiling). Each vehicle sends us data continuously, which can include personal data (in particular location/GPS data, data concerning the use of the vehicle and the operation of vehicle functions as well as telemetric data, to the extent that this data can be considered personal). This data is collected and used for administrative and contractual processing. In principle, it is not passed on to third parties unless there are applicable laws, official directives or other important reasons (e.g. investigation/clarification in cases of damage, investigation of possible violations of contractual conditions, safety defects, serious technical problems, breach of third-party rights or protection of our property) that require its disclosure. We also use profiling, however, to be able to inform and advise you about products in a targeted manner. For this, we use evaluation tools which facilitate needs-based communication and advertising, including market and opinion research. To establish and conduct the business relationship and also otherwise, we do not, as a rule, use any automated decision-making (such as is governed by Art. 22 of the GDPR). In the event that we use such procedures in individual cases, we will inform you about this separately if this is prescribed by law, and will inform you about the related rights.

Within the scope of the data protection law that applies to you, and insofar as the law provides for it (as in the case of the GDPR), you have the right of access as well as the right to rectification and erasure, the right to restrict data processing and otherwise, the right to object to our data processing, and the right to the provision of certain personal data for the purpose of transmission to another party (the right to data portability). Please note, however, that for our part, we reserve the right to enforce the restrictions prescribed by law, such as if we are obliged to retain or process certain data, if we have an overriding interest in such data (insofar as we may invoke this interest) or need the data to assert claims. A request for information is generally free of charge. A fee may be charged where the request entails a particularly extensive amount of S. 8 Privacy Policy Clyde. Version dated 01. January 2023 work, the request for information is excessive or notorious, unless there is an interest worthy of protection. If you are likely to incur costs, we will notify you in advance. Regarding the option to withdraw your consent, we refer to section 4. Please note that the exercise of these rights may be in conflict with contractual agreements, and that this may have consequences such as early termination of the contract or costs. In this case, we will inform you in advance if this is not already governed by contract.

The exercise of these rights requires that you provide clear proof of your identity (e.g. by means of a copy of an identification card/document if your identity is otherwise unclear or cannot be verified). To assert your rights, you can contact us at the address indicated in section 2. Furthermore, every data subject has the right to assert their claims in a court of law or to file a complaint with the responsible data protection authority.

We may amend this Privacy Policy at any time without prior notice. The applicable version of the Privacy Policy is the latest version as published on our website. If the Privacy Policy forms part of an agreement with you, we will notify you of any updates to it where this is possible without undue expense.