GDPR Compliance

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to all organizations processing personal data of EU residents. As Luminary Leads operates in Poland, Romania, and Croatia, we fully comply with GDPR requirements. Our Commitment: • Full GDPR compliance since May 25, 2018 • Regular audits and assessments • Continuous improvement of data protection measures • Transparent data processing practices • Respect for individual rights GDPR Principles We Follow: • Lawfulness, fairness, and transparency • Purpose limitation • Data minimization • Accuracy • Storage limitation • Integrity and confidentiality • Accountability

We process personal data only when we have a valid legal basis: Consent (Article 6(1)(a)): • Marketing communications • Non-essential cookies • Biometric data processing • Special category data Contract (Article 6(1)(b)): • Job matching services • Application processing • Communication about opportunities • Service delivery Legal Obligation (Article 6(1)(c)): • Tax and accounting records • Employment law compliance • Immigration requirements • Anti-fraud measures Legitimate Interests (Article 6(1)(f)): • Service improvement • Fraud prevention • Network security • Direct marketing (with opt-out) We conduct Legitimate Interest Assessments (LIA) for all processing based on legitimate interests.

Under GDPR, you have the following rights: Right to Access (Article 15): • Request a copy of your personal data • Understand how we process it • Receive information about transfers Right to Rectification (Article 16): • Correct inaccurate data • Complete incomplete data • Update outdated information Right to Erasure (Article 17): • Request deletion of your data • "Right to be forgotten" • Applies in specific circumstances Right to Restrict Processing (Article 18): • Limit how we use your data • During dispute resolution • When accuracy is contested Right to Data Portability (Article 20): • Receive your data in machine-readable format • Transfer to another service • Applies to consent/contract based processing Right to Object (Article 21): • Object to direct marketing • Object to legitimate interests processing • Object to profiling Right to Withdraw Consent: • Withdraw consent anytime • Does not affect prior processing • Easy withdrawal mechanism

Technical Measures: • AES-256 encryption at rest • TLS 1.3 for data in transit • Multi-factor authentication • Regular security audits • Intrusion detection systems • Secure backup procedures • Access logging and monitoring Organizational Measures: • Data Protection Officer appointed • Staff training programs • Privacy by Design implementation • Data Protection Impact Assessments (DPIA) • Vendor due diligence • Incident response procedures • Regular policy reviews Physical Security: • Secure data center facilities • Access control systems • Environmental monitoring • Disaster recovery plans

Transfer Mechanisms: To Nepal (Non-EU): • Standard Contractual Clauses (SCCs) - Module 2 • Additional safeguards implemented • Transfer Impact Assessment conducted Within EU: • Free movement of data • Same protection standards To Other Countries: • Japan: Adequacy decision • Korea: SCCs + supplementary measures • Dubai: SCCs + enhanced security • Malaysia: SCCs + consent Safeguards: • Encryption during transfer • Access controls • Contractual obligations • Regular audits • Data localization where required Your Rights: • Information about transfers • Copy of safeguards • Object to certain transfers

Breach Response Timeline: Detection: • 24/7 monitoring systems • Immediate escalation procedures • Incident response team activation Assessment (0-24 hours): • Determine scope and impact • Identify affected individuals • Assess risk level • Implement containment measures Notification: • Supervisory Authority: Within 72 hours • Affected Individuals: Without undue delay (for high-risk breaches) • Detailed breach report • Mitigation advice Our Commitments: • Transparent communication • Support for affected individuals • Free credit monitoring (where applicable) • Regular updates on investigation • Lessons learned implementation Prevention: • Regular security assessments • Employee training • Technical controls • Vendor management

Our Comprehensive Cookie Policy: What Are Cookies? Cookies are small text files placed on your device when you visit our website. They help us provide you with a better experience by remembering your preferences and understanding how you use our site. Types of Cookies We Use: 🔒 Essential Cookies (Always Active) • Session management and security • Load balancing and site functionality • Authentication and access control • Form submission handling • No consent required as they are necessary for operation 📊 Analytics Cookies (Consent Required) • Google Analytics for traffic analysis • Custom analytics for user journey mapping • Performance monitoring • Error tracking and debugging • Heatmap and scroll depth analysis • A/B testing and optimization ⚙️ Functional Cookies (Consent Required) • Language preferences • User interface customization • Recently viewed jobs • Form autofill preferences • Accessibility settings • Time zone detection 🎯 Marketing Cookies (Explicit Consent Required) • Facebook Pixel for retargeting • Google Ads remarketing • LinkedIn Insight Tag • Social media integration • Conversion tracking • Interest-based advertising Third-Party Cookies: • Google Analytics: _ga, _gid, _gat • Facebook: fr, _fbp • LinkedIn: li_gc, bcookie • YouTube: YSC, VISITOR_INFO1_LIVE Cookie Duration: • Session cookies: Deleted when browser closes • Persistent cookies: 1 day to 2 years • Analytics cookies: 2 years • Marketing cookies: 90 days Your Cookie Rights: • Accept or reject non-essential cookies • Change preferences anytime • Delete cookies through browser settings • Opt-out of specific services • Request information about cookies used Managing Cookies: • Use our cookie consent tool • Browser settings control • Google Ads Settings • Facebook Ad Preferences • LinkedIn Ad Preferences Consequences of Blocking Cookies: • Essential features may not work • Preferences won't be saved • You may see generic content • Some forms may not function • Analytics won't track improvements Cookie-Free Alternatives: • Local storage for preferences • Server-side sessions • URL parameters for tracking • Browser fingerprinting (not used) Updates to Cookie Policy: • Regular reviews every 6 months • Notification of significant changes • Consent renewal annually • Version history maintained

When We Conduct DPIAs: Mandatory Cases: • Biometric data processing • Large-scale special category data • Systematic monitoring • Automated decision-making • New technologies DPIA Process: 1. Describe processing operations 2. Assess necessity and proportionality 3. Identify and assess risks 4. Determine mitigation measures 5. Consult stakeholders 6. Review and approve 7. Monitor and review Transparency: • DPIA summaries available on request • Stakeholder consultation • Regular reviews and updates Risk Mitigation: • Technical measures • Organizational controls • Policy updates • Training programs

Age Restrictions: • Minimum age: 18 years for our services • No intentional collection from minors • Age verification procedures If Child Data is Discovered: • Immediate deletion • Parent/guardian notification • No further processing • Incident documentation Special Protections: • Enhanced consent requirements • Parental control options • No profiling of children • No direct marketing • Educational materials only Compliance: • Regular age verification audits • Staff training on child protection • Clear age requirements • Prompt response to concerns

Our Approach: Limited Automation: • Initial candidate screening • Job matching algorithms • Risk assessment Human Oversight: • All significant decisions reviewed • Human intervention available • Explainable algorithms • Regular audits Your Rights: • Request human review • Express your viewpoint • Contest decisions • Understand logic involved Safeguards: • No decisions based solely on automation • Regular algorithm testing • Bias prevention measures • Transparency reports • Fair processing guarantees

You can contact supervisory authorities: Poland: UODO (Urząd Ochrony Danych Osobowych) Address: Stawki 2, 00-193 Warsaw Website: uodo.gov.pl Email: [email protected] Romania: ANSPDCP Address: B-dul G-ral. Gheorghe Magheru 28-30, Bucharest Website: dataprotection.ro Email: [email protected] Croatia: AZOP (Agencija za zaštitu osobnih podataka) Address: Selska cesta 136, 10000 Zagreb Website: azop.hr Email: [email protected] European Data Protection Board: Website: edpb.europa.eu For cross-border complaints How to File a Complaint: 1. Contact us first for resolution 2. If unsatisfied, contact your local authority 3. Provide detailed information 4. We cooperate fully with investigations

Data Protection Officer: Name: [DPO Name] Certification: IAPP CIPP/E, CIPM Email: [email protected] Phone: +977 9808888489 Secure Contact: dpo.luminaryleads.com.np/secure Office Hours: • Sunday-Friday: 9:00-18:00 NPT • Emergency: 24/7 for breaches Response Times: • General inquiries: 48 hours • Rights requests: 72 hours • Urgent matters: 24 hours How We Can Help: • Exercise your rights • Privacy concerns • Data protection advice • Complaint handling • Training requests • DPIA consultation Anonymous Reporting: privacy.luminaryleads.com.np/anonymous