Privacy policy.

This Privacy Policy ("Policy") describes how Jiemerald Group S.A.R.L. ("Company", "we", "us" or "our"), with its registered office in Agadir, Morocco, collects, uses, discloses, transfers, retains and otherwise processes personal data when you visit, interact with or otherwise use the website located at jiemeraldgroup.com and any related online services, communications and offerings (collectively, the "Services").

This Policy is intended to comply with all applicable data protection and privacy laws and regulations, including without limitation Regulation (EU) 2016/679 (the "General Data Protection Regulation" or "GDPR"), the United Kingdom Data Protection Act 2018 ("UK GDPR"), the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Personal Information Protection and Electronic Documents Act ("PIPEDA") of Canada, the Brazilian General Data Protection Law ("LGPD"), and any other applicable data protection legislation in jurisdictions in which we operate.

Capitalized terms not defined herein shall have the meaning set forth in the applicable legislation. Where there is a conflict between this Policy and mandatory local law, the mandatory local law shall prevail solely to the extent of such conflict.

Jiemerald Group S.A.R.L. acts as the "data controller" (as defined under the GDPR) or "business" (as defined under the CCPA/CPRA) with respect to personal data collected through the Services. You may contact us regarding any privacy matter by writing to: Jiemerald Group S.A.R.L., Agadir, Morocco — email: info@jiemeraldgroup.com. Where required by law, we have appointed a Data Protection Officer ("DPO") and/or a representative in the European Union and/or the United Kingdom, whose contact details are available on request.

We collect and process the following categories of personal data, in each case to the extent permitted by applicable law:

• Identifiers: first and last name, postal address, email address, telephone number, company name, job title, account credentials, unique personal identifiers, online identifiers, IP address, device identifiers and similar identifiers.
• Commercial information: records of products or services purchased, obtained, requested or considered, purchasing or consuming histories or tendencies, billing and shipping information, supply requests and contractual correspondence.
• Internet or other electronic network activity information: browsing history, search history, information regarding your interaction with the Services, advertisements and emails, referring/exit pages, page response times, download errors, length of visits to certain pages, page interaction information, and methods used to browse away from a page.
• Geolocation data: general location derived from IP address; precise geolocation data only where you have explicitly opted in.
• Professional or employment-related information: employer, role, industry sector, business contact details and information you provide in applications or partnership inquiries.
• Audio, electronic, visual or similar information: recordings of calls (where lawfully recorded with notice), images and video submitted by you.
• Inferences: inferences drawn from any of the information identified above to create a profile reflecting preferences, characteristics, predispositions, behavior, attitudes, intelligence, abilities and aptitudes relevant to the commercial relationship.

We do not knowingly collect "sensitive personal information" as defined under the CCPA/CPRA or "special categories of personal data" as defined under the GDPR (Article 9), and we ask that you refrain from submitting such information through the Services.

We collect personal data: (i) directly from you when you submit a form, request a quotation, subscribe to communications, contact us by email or telephone, or otherwise interact with the Services; (ii) automatically through cookies, pixel tags, web beacons, server logs and similar technologies (see our Cookie Policy); (iii) from third parties such as our affiliates, business partners, distributors, service providers, analytics providers, advertising networks, public databases, sanctions screening providers and credit reference agencies; and (iv) from publicly available sources, including official trade registries and your professional online presence.

We process personal data for the following purposes and on the following legal bases under the GDPR:

• Performance of a contract — to respond to inquiries, prepare and perform supply contracts, manage orders, deliveries, invoicing and post-sales support.
• Compliance with legal obligations — to comply with tax, accounting, customs, food-safety, traceability, anti-money laundering, sanctions and other regulatory obligations.
• Legitimate interests — to operate, secure, evaluate and improve our Services, prevent fraud and abuse, exercise or defend legal claims, conduct business analytics, and engage in direct B2B marketing of our own goods to existing and prospective business customers, in each case where such interests are not overridden by your fundamental rights.
• Consent — where required by law, for the use of non-essential cookies, electronic marketing communications, and any processing for which consent is the appropriate legal basis. You may withdraw your consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
• Vital interests / public interest — in exceptional circumstances to protect a person's vital interests or to perform a task carried out in the public interest.

We may disclose personal data to the following categories of recipients, in each case under appropriate contractual safeguards:

• Affiliates and group companies for internal administrative and operational purposes.
• Service providers and processors including hosting and cloud infrastructure providers, email and CRM providers, analytics and performance monitoring providers, payment processors, logistics and freight forwarders, customs brokers, professional advisors (lawyers, auditors, consultants), and insurance providers.
• Analytics and advertising networks who may, where consent is given, set cookies or similar technologies to measure audience and serve contextual or personalized communications.
• Commercial partners, distributors and brokers involved in the performance of the supply relationship with you.
• Public authorities and law enforcement where required by law, court order, lawful request, or to enforce our legal rights.
• Successors in interest in the event of a merger, acquisition, reorganization, sale of assets, financing or insolvency, in which case personal data may be transferred to the relevant party as a business asset.

We do not "sell" personal information for monetary consideration as the term is commonly understood. To the extent that any disclosure to advertising or analytics partners constitutes a "sale" or "sharing" under the CCPA/CPRA, you may exercise your right to opt out as described below.

Personal data may be transferred to, stored in and processed in countries other than the country in which the data was originally collected, including countries that may not provide a level of data protection equivalent to that of your home jurisdiction. Where we transfer personal data outside of the European Economic Area, the United Kingdom or other regulated jurisdictions, we implement appropriate safeguards in accordance with applicable law, including the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, adequacy decisions, binding corporate rules, and supplementary technical and organizational measures. A copy of the relevant transfer mechanism may be obtained by contacting us at info@jiemeraldgroup.com.

As a company established in Agadir, Morocco, Jiemerald Group S.A.R.L. processes personal data in accordance with Moroccan Law No. 09-08 of 18 February 2009 relating to the protection of natural persons with regard to the processing of personal data ("Law 09-08") and its implementing decree, under the supervision of the Commission Nationale de contrôle de la Protection des Données à Caractère Personnel ("CNDP"). Where required, our processing operations are declared to or authorized by the CNDP. Data subjects may exercise their rights of access, rectification, opposition and deletion under Articles 7 to 9 of Law 09-08 by contacting us at info@jiemeraldgroup.com, and may lodge a complaint with the CNDP (www.cndp.ma).

In the context of our international export activities, we may collect and process additional data on commercial counter-parties (importers, distributors, retailers, brokers and their representatives) for the purposes of know-your-customer ("KYC"), sanctions and politically-exposed-persons screening, anti-money-laundering, anti-bribery, customs and tax compliance, food-safety traceability and credit assessment. Such data may include identification documents, beneficial-ownership information, trade references, banking details and screening results. The legal basis for this processing is compliance with our legal obligations and our legitimate interest in preventing fraud, sanctions breaches and commercial risk. Counter-party records are retained for the duration of the commercial relationship and for at least ten (10) years thereafter to comply with our legal and regulatory obligations.

We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, tax, regulatory or reporting requirements, and to establish, exercise or defend legal claims. The criteria used to determine retention periods include:

• the nature, sensitivity and volume of the personal data;
• the potential risk of harm from unauthorized use or disclosure;
• the purposes for which we process the data and whether we can achieve those purposes through other means;
• statutory limitation periods and contractual obligations applicable in Agadir, Morocco and in your jurisdiction;
• regulatory guidance and recommended industry practices.

Indicatively, commercial inquiry data is retained for the duration of the commercial relationship plus the applicable statutory limitation period (typically up to ten (10) years for accounting and tax purposes). Marketing data is retained until you withdraw consent or object. After the applicable retention period, personal data is securely deleted, destroyed or irreversibly anonymized.

We implement appropriate technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, including encryption in transit, access controls, network segmentation, logging and monitoring, regular security testing, vendor due diligence and staff confidentiality obligations. However, no transmission over the Internet or method of electronic storage is completely secure, and we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of any credentials used to access the Services and must notify us immediately of any unauthorized use.

If you are located in the European Economic Area, the United Kingdom or another jurisdiction granting equivalent rights, you have the following rights, subject to the conditions and limitations set out in applicable law:

• Right of access — to obtain confirmation that we process your data and a copy of such data;
• Right to rectification — to obtain correction of inaccurate or incomplete data;
• Right to erasure ("right to be forgotten") — to obtain deletion of your data in certain circumstances;
• Right to restriction of processing — to obtain restriction in certain circumstances;
• Right to data portability — to receive your data in a structured, commonly used and machine-readable format;
• Right to object — to object to processing based on legitimate interests or for direct marketing purposes;
• Right to withdraw consent — at any time, where processing is based on consent;
• Right not to be subject to automated decision-making producing legal or similarly significant effects;
• Right to lodge a complaint with a supervisory authority in your country of residence, place of work or place of the alleged infringement.

To exercise any of these rights, please contact us at info@jiemeraldgroup.com. We may need to verify your identity before responding and will reply within the time limits set by applicable law.

If you are a California resident or resident of another U.S. state granting equivalent rights, you have the following rights, subject to verification of your identity:

• Right to know the categories and specific pieces of personal information collected, the sources, the business or commercial purposes, and the categories of third parties to whom it has been disclosed;
• Right to delete personal information collected from you, subject to enumerated exceptions;
• Right to correct inaccurate personal information;
• Right to opt out of the sale or sharing of personal information for cross-context behavioral advertising;
• Right to limit use and disclosure of sensitive personal information;
• Right to non-discrimination for exercising any of the above rights.

We honor opt-out preference signals, including the Global Privacy Control ("GPC"), where technically feasible. To exercise these rights, contact us at info@jiemeraldgroup.com. An authorized agent may submit a request on your behalf with proof of authorization.

The Services are not directed to, and we do not knowingly collect personal data from, individuals under the age of sixteen (16). If we learn that we have collected personal data from a child without verified parental consent, we will delete such data as soon as practicable. Parents or guardians who believe that their child has provided personal data to us should contact us at info@jiemeraldgroup.com.

The Services may contain links to, or integrations with, third-party websites, applications or services that operate independently of us. This Policy does not apply to information collected by such third parties, and we are not responsible for their privacy practices. We encourage you to review the privacy notices of every third-party site you visit.

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements or other factors. The updated Policy will be posted on the Services with a revised "last updated" date. Where required by applicable law, we will provide additional notice or seek your consent. We encourage you to review this Policy periodically.

For any questions, concerns or requests relating to this Policy or our data practices, please contact us at: Jiemerald Group S.A.R.L., Agadir, Morocco — email: info@jiemeraldgroup.com.