Please carefully read this document. It is a Privacy Policy for use of the services accessible through Evrotrust mobile application (Privacy Policy/the Policy). Please also read the Privacy Policy Applicable to the Trust, Information, Cryptographic and OtherServices Provided by „Evrotrust Technologies” AD. In the event of a conflict between this Policy and the Privacy Policy Applicable to the Trust, Information, Cryptographic and Other Services Provided by „Evrotrust Technologies” AD, this Policyshall prevail, but only in respect of processing activities related to the provision of the services accessible through Evrotrust mobile application. In the case of gaps in this Policy, the provisions of the Privacy Policy Applicable to the Trust, Information, Cryptographic and Other Services Provided by „Evrotrust Technologies” AD shall apply. The Privacy Policy Applicable to the Trust, Information, Cryptographic and Other Services Provided by „Evrotrust Technologies” AD is published here.

The Privacy Policy is an integral part of the Contract for use of services accessible through the application (the Application) of Evrotrust Technologies AD (the Contract). This Policy shall apply for use of services accessible through the Application in accordance with the Contract. Any changes to the Privacy Policy shall be published here.

1. WHO ARE WE AND HOW DO WE PROCCESS PERSONAL DATA?

In relation to provision of the services Evrotrust Technologies AD (Evrotrust/ we), UIC: 203397356, registered address: Bulgaria, 1113 Sofia, Izgrev district, r.a. Iztok, 2 Nikolay Haitov Str. Entr. E, fl.2, correspondence address: Bulgaria, Sofia, 1766, Business center MM, floor 5, „Okolovrasten pat“ 251G, telephone: (+359 2) 448 58 58, fax: (+359 2) 448 58 58, e-mail: office@evrotrust.com, website: https://www.evrotrust.com/, shall process data in compliance with this Policy. In the processing of personal data Evrotrust complies with any personal data protection regulations including but not limited to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the Regulation). Pursuant to the Regulation personal data is any information relating to an identified natural person or a natural person who can be identified by name, an identification number, an online identifier, address, telephone number, e-mail address, etc. Data processing is any operation or set of operations which is performed on personal data whether or not by automated means. All terms and definitions used in the present Policy for which a definition is not provided herein have the meaning provided in the Contract or in the respective Practice Statements and Policies of Evrotrust for the Provision of Trust Services (collectively referred to as „Practice Statements”); or if not defined in the above-mentioned documents have the meaning provided in the Regulation and the other applicable legal and regulatory acts.

2. FOR WHICH NATURAL PERSONS DO WE PROCESS PERSONAL DATA?

In relation to carrying out the activity of Evrotrust as a qualified and non-qualified trust services provider, We process information regarding clients of Evrotrust – natural persons, who use Evrotrust services (hereinafter referred to collectively as „client”/„You”) in their personal capacity or as legal and authorized representatives of a natural or legal person.

3. WHAT CATEORIES OF PERSONAL DATA DO WE PROCESS?

3.1. Upon your registration in the Application

Identification data

In order to use the Application and the services You are required to register through the Application. Your registration in the Application requires You to:

1. create Your own personal security codes (PIN code and secret word)

2. enter Your identification data (country of residency and personal identification number – „ЕГН“ (if You are a Bulgarian citizen) or other personal identification number according to Your residency;

3. pass through an identification process (remote – automated or semi - automated identification; or by appearing in person in an office of Evrotrust’s Registration Authority);

4. enter Your contact data (mobile telephone number and e-mail address) and confirm their validity;

Personal security codes

Upon registration You will be asked to create personal security codes – PIN code and secret word. This information is confidential and does not reach Evrotrust nor is it stored in the Application, installed onto Your device.

Important! No possibility to recover a forgotten personal security code exists, as these codes are not kept anywhere. In case you have forgotten your personal security codes, see how you can restore your ability to use the Application and Services here.

Biometric data as personal security codes

Depending on the maintained functionality of Your device on which the Application is installed as well as to the PIN code, biometric data of the Client may be attached – fingerprint, face shape, etc. and You can use them for convenience as a personal security code instead of your PIN code. Such is, for example, the Apple FaceID functionality used in iPhone X, XS, XR, iPad Pro 2nd gen models, etc. By using such features, Your biometric data always remain under Your control within Your device and the installed Application. They are not processed or stored by Evrotrust. You can stop using these features at any time.

Mandatory identification upon Application activation

In order to use the trust services You are required to be unambiguously identified and Your identity to be checked. This necessity arises from the regulatory requirements to the services we provide as a qualified trust services provider. In order for You to be unambiguously identified we shall collect, process and store the following data relating to You:

- For automated identification: your names as per ID, „ЕГН“ or other national identification number depending on the country, ID number, scanned copy of ID, all automatically retrieved data from the machine readable part of the ID (including gender, date birth, expiry date); data retrieved from your business identity for the validity of your ID from the databases of the primary data controllers (Ministry of Interior, Ministry of Regional Development and Public Works, etc.) that include a photo of the official database of identity documents; record of video identification session and photos taken during the video identification session.

- For semi-automated identification: all above-mentioned data collected upon automatic identification, incl. a record of an identification video session with an operator from Evrotrust’s Registration Authority and the information provided by You within the video session (answers to the questions asked by the operator).

- Upon present identification in an office of Evrostrust’s Registration authority: your names as per ID document, “ЕГН“ or other national identification number depending on the country, ID document number and expiry date, gender, date of birth; data retrieved upon performing an ex officio verification of the validity of your ID document from the databases of the official data controllers (Ministry of Interior, Ministry of Regional Development and Public Works, etc.), scanned copy of ID document.

When conducting automated or semi- automated identification, one-time analysis of Your biometric data is performed. The analysis is be performed to confirm with a sufficiently high level of identity, in accordance with the applicable legislation and standards, that the person in the video identification session, the photo from the ID document and the photos taken during the video session are of the same person. In this process, it is confirmed that a live person takes part in the video session. Once the analysis of these data has been completed, the biometrics processed is automatically erased, retaining only the result in the form of a percentage of the degree of identity between the images analyzed. When conducting automated identification, Evrotrust takes a decision based solely on automated processing that has significant legal consequences for you – confirmation of your identification and issuance of a Qualified Certificate of Qualified Electronic Signature (QCQES). According to Art. 22 of the Regulation, you have the right not to be subject of a such decision except with your explicit consent or when this is necessary for conclusion of a contract between you and the controller (in this case Evrotrust).

In case You wish to use the services but do not wish your biometric data to be processed in the manner described in automated or semi-automated identification or to be subject to decision based solely on automatic data processing You may pass through present identification in an office ofEvrostrust’s Registration authority. If you consent to one-time processing of Your biometric data, to be identified and an QCQES to be issued in an automated manner, prior to the identification process You must grant Your explicit consent for the described processing.

For security reasons, avoidance of fraud and guaranteeing Your rights and interests after successful automated identification, the video identification session passes through an additional human verification from an operator of our Registration Authority. For the same reason, Evrotrust also stores all data, except biometric data, and records collected during an unsuccessful identification for a period of up to 2 months after it has been conducted.

3.2. Data contained in the QCQES issued by Evrotrust and their publication

Тhe content of the QCQES issued is in compliance with the applicable European standards. QCQES issued by Evrotrust will contain Your names or pseudonym of Your choice, country, information about start and end date of validity, Your identification client number generated in our system, Your public key, information on issuer and data that serves the recognition and verification of the certificate validity by the relying parties.

When issuing an attributive QCQES in addition to the data indicated above based on Your assignment Evrotrust may include information about Your identification number such as „ЕГН“, ID card number, VAT number, etc., as well as information such as date of birth, gender, ID expiry date and other data retrieved from the machine readable part of Your ID and/or the database of the primary data controllers (Ministry of Interior, Ministry of Regional Development and Public Works, etc.). What data are included as per Your assignment in an attributive QCQES depend on what data You wish Evrotrust to certify to the relying parties before which you will use this QCQES.

Pursuant to the applicable legislation every qualified trust services provider keeps a certificate repository of the QCQES issued by it as well as for all terminated or suspended QCQES. This is done for the purpose of all relying parties to be able to check the certificates validity. Evrotrust provides a functionality for validity check of the QCQES issued by it.

3.3. Upon signing documents through the Application and upon using the electronic registered delivery services and safe storage (with depository) of documents

Each signing of documents through the Application includes, as integrated services, the service of electronic registered delivery services and safe storage of documents. Therefore, Evrotrust keeps all documents sent by or to you for signing through the functionality of the Application, all documents signed and sent by or to you and information regarding the time of signing, the time of sending and receiving of the documents, Your identification data, sender/recipient identification data, as well as hash value retrieved from the content of the document (metadata). Upon confirmation of the sending, receipt and signing of documents, Evrotrust provides to the sender the hash value as proof with information on the time of sending, receipt and/or signing, information regarding the sender and receiver, information describing the type of document (document metadata) and stores this information for a period of 10 years, regardless of the erasure of the respective documents.

Safe storage of documents (with a depository) service: You may at any time access through the Application the electronic documents signed by You. The signed documents may be stored by Evrotrust in an encrypted form for the period agreed between You and Evrotrust. In the absence of explicit individual arrangements, the standard contractual storage period of documents is 10 years. You may request at any time from Evrotrust to delete these documents or use the available functionality for that in the Application (if available). This does not delete the information listed above which has the purpose of evidencing the sending, receiving and signing of documents through the Application.

3.4. Storage of qualified electronic signature service

Your private keys are stored in a special Hardware Security Module – HSM in an encrypted form which can be decrypted only by You by entering Your personal security codes in the Application.

3.5. Upon using the e-identification service

The e-Identification service enables you to identify yourself before third parties – relying parties (e.g. a bank), in cases where signing a contract, using remote services of the relying party, etc. In these cases, the relying party sends to Evrotrust data that identifies You (for example, personal identification number) with a request for You to be identified. In the Application You are notified of each relying party that requests You to be identified before it. In order to activate the e- identification service, you need to carefully review the personal data required from You and to confirm through the Application that you wish to be identified before the specified relying party. As a result, an electronic document is generated – a statement that contains information about Your identity that the relying party has requested to be verified (certified), after that Evrotrust issues to You a one-time attributive QCQES with the content requested by the relying party for identification purposes only. This document may include your name, PIN, copy of your ID, etc. for the requested service. If you agree to identify Yourself before the relying party with the data specified in the document, you need to sign it with your QCQES issued to You for this purpose and to assign to Evrotrust to send the signed document to the relying party.

The e-Identification service also includes as an integral part the electronic registered delivery service. Therefore, in these cases, Evrotrust also processes and stores the information under item 3.3, which is intended to evidencing of the sending, receiving and signing of documents through the Application, and will be kept for a period of 10 years regardless of the deletion of the document itself. The generated electronic document – a statement that contains information about Your identity will be stored by Evrotrust for up to 2 hours after signing.

3.6. Upon using the service for password- less login for access to websites

The e-Access service enables you to securely authenticate your access to your accounts on different websites and online services to third parties without entering usernames and passwords or as a second step to secure two- factor identification. Upon provision of this service, the website/service information that have been requested to access, the time of request to access them and whether you have confirmed or denied through the Application that you are the person who requested access to the website or service will be processed.

3.7. When You make a payment to us

In case You make payments to us for the use of services, we will further process the following information relating to you: VAT number (for natural persons registered under the VAT Act), method of payment, incl. the account from which the payment was made, information on payments due and made by You and data contained in the tax and accounting documents in accordance with the applicable legislation.

3.8. Other information we collect by automatic means

In order to ensure the proper functioning and security of the Application and our services upon installation and use of the Application, Evrotrust automatically collects information about the type of device, the type of operating system used by the device, the language settings you have chosen, the number of electronic statements made and the number of unsuccessful attempts to use the services (if any).

4. FOR WHAT PURPOSES DO WE PROCESS YOUR PERSONAL DATA?

Evrotrust collects, stores and processes the information specified in item 3 above for the purposes of this Policy and the Contract. Depending on the legal basis for processing, these purposes may be 
• purposes related to compliance with legal obligations of Evrotrust;
he performance of the contracts concluded between You and Evrotrust or for taking steps upon your request prior to the conclusion of such contract;
• purposes of the legitimate interest of Evrotrust or of third parties;
•Purposes for which you have given You consent to processing of Your data.

4.1. The purposes for personal data processing by Evrotrust related to compliance with legal obligations include:

• fulfillment of the regulatory requirements applicable to the provision of trust services, incl. ensuring Your secure identification, checking the authenticity of the data you provide, checking the validity of your ID, including the content required in certificates issued by Evrotrust, etc.;

• fulfilment of the regulatory requirements for retention, publication, provision of or access to information in relation to the activity of Evrotrust as a qualified trust services provider;

• fulfilment of the obligations of Evrotrust stipulated in the law for reproducing and evidencing of the electronic statements made by You;

•compliance with the applicable tax and accounting legislation;

• other activities for fulfillment of legal obligations of Evrotrust related to the provision of information to competent state and judicial authorities or for provision of assistance with inspections by competent authorities or legal audits related to the regulated activity of Evrotrust as a trust service provider

For the above-mentioned purposes we process all categories of personal data specified above.

4.2. The purposes for personal data processing related to and/or necessary for the performance of the contract or fortaking steps upon Client’s request prior to the conclusion of contract with Evrotrust include:

• activities for carrying out Your registration;

• activities for provision of the services through the Application;

• contacting You in regards the services provided;

• fiscal and accounting activity and administration, processing and collection of payments related to the services;

For the above-mentioned purposes we process all categories of personal data specified above.

4.3. The purposes for personal data processing in connection with the legitimate interest of Evrotrust or of third parties include:

4.3.1. Legitimate interest – exercise and protection of legal rights and interests of Evrotrust; and assistance in exercising and protecting the legitimate rights and interests of clients; of other entities associated with Evrotrust; of the relying parties; of employees of Evrotrust; of persons processing personal data on behalf of Evrotrust; and of Evrotrust’s business partners:

• establishment, exercise and protection of legal claims of the above- mentioned persons incl. judicial remedy, including the lodging of complaints, reportings, etc. to the competent state and judicial authorities, incl. reproduction of the retained information in the scope required for the purposes;

• taking actions to suspend the provision of services in case of breach of contract and non-compliance with Evrotrust’s Practice Statements;

• reproduction of information in regards completed e-Identification as per request and in order to protect the rights and legitimate interest of the relying party;

• reproduction of information in regards use of electronic registered delivery service upon request and in order to protect the rights and legitimate interests of the sender/recipient;

• administration and processing of filed complaints, reports, requests, etc.;

• Collection of debts owed to Evrotrust, including by outsourcing to third parties.

4.3.2. Legitimate interest – ensuring the services as well as the normal functioning of the Application:

•maintenance and administration of the services and the Application;

• taking measures against malicious acts against the security and normal functioning of the Application;

• establishment and resolving of technical problems related to the functionality of the Application;

•creation of secure environment for exchange of messages between the client, Evrotrust and the relying party;

For the above-mentioned purposes we process all categories of personal data specified above.

4.4. Explicit consent

Your data may be processed based on Your explicit consent, the processing in this case is specific and to the extent and scope provided in the respective consent. Such purposes include:

• Automated and semi-automated identification through the Application: (1) one-time processing of Your biometric data (precise measures of specific face features/face image and indicators whether a live person participates in the video identification session) and (2) making decision based solely on automated processing of your data which gives rise to significant legal consequences for you – confirmation of your identification and issuance of the QCQES if you have chosen an automated identification. In case of failed automated identification, it is switched to a semi-automatic one (i.e. a real-time video conference call with operator from theEvrotrust’s Registration Authority);

• Participate in a survey of your service satisfaction if you have agreed to participate in such.

5. WITH WHOM DO WE SHARE YOUR PERSONAL DATA?

Evrotrust does not provide your personal data to third parties in any other way except in the cases described in this Policy, the Contract or provided for by law. Evrotrust may disclose Your personal data to third parties:

5.1. If this is necessary to comply with a legal obligation of Evrotrust, for example, when providing information by Evrotrust to:

• competent state, municipal or judicial authorities;

• auditing bodies;

5.2. If this is necessary for the provision of the services such as:

• banks and payment service providers in connection with payments made;

• relying parties before whom You wish to be identified through the Application;

• persons to whom you send documents for signature or signed documents using our services;

• post and telecommunication operators for carrying out the communication between us;

5.3. If this is necessary for protection of the rights and the legal interests of Evrotrust, of third parties or Yours. In these cases, we may provide Your personal data to:

• state, municipal and judicial authorities;

• private and state bailiffs;

• lawyers;

• notaries;

5.4. Who act as data processors on behalf of Evrotrust such as cloud services provider, Evrotrust’s Registration Authority (when this activity is assigned to а third party), accounting services provider, etc.

Evrotrust uses subcontractors and service providers as dedicated data centers for reliable and secure co-location of server and network equipment, cloud systems and service providers, automated identification service providers, other IT services, etc. In its relations with subcontractors and service providers, Evrotrust requires them to strictly comply with its instructions in accordance with this Policy.

5.5. In the cases where You have given Your explicit consent;

5.6. In other cases provided for by the law.

6. TRANSFER OF PERSONAL DATA OUTSIDE THE EU/EEA

Evrotrust does not transfer personal data relation to You to countries outside the territory of EU/EEA.

7. FOR WHAT PERIOD DO WE STORE YOUR PERSONAL DATA?

7.1. Evrotrust processes and stores information about You until it achieves the relevant purposes for which the data have been collected and are being processed.

7.2. In accordance with its internal rules and procedures and the applicable law, Evrotrust processes and stores information about you within the following terms:

The personal data listed in this Policy may also be processed for longer periods of time than the ones specified above if this is necessary to achieve the purposes set forth therein or to protect the rights and/or legitimate interests (including through judicial remedy) of Evrotrust or of third parties or if the legislation in force provides for processing of the data for a longer period.

8. WHAT ARE YOUR RIGHTS AND HOW YOU CAN EXERCISE THEM?

In connection with the personal data processing we carry out, You have the following rights under the Regulation and the applicable personal data protection legislation:

8.1. Right to information

You have the right to obtain information about the processing of your personal data by us, as this information is contained in this Policy;

8.2. Right of access

You have the right to obtain confirmation as to whether or not Your personal data are being processed, access to them and information on the processing and Your rights in this regard.

8.3. Right to rectification

You have the right to request the rectification of Your personal data in case they are incomplete or inaccurate.

8.4. Right to erasure

You have the right to request erasure of Your data, if the grounds for doing so provided for in the Regulation are in place.

8.5. Right to restriction in relation to the data processing

The Regulation provides for the possibility to restrict the processing of your personal data if the grounds for doing so are in place.

8.6. Right to notification of third parties

You have the right to request from us to notify third parties to whom your personal data has been disclosed of any rectification, erasure, or restriction of the processing of your personal data, unless this is impossible or requires disproportionate effort on our part.

8.7. Right to data portability

You have the right to receive the personal data that are concerning You and that You have provided to us in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance on our part.

The right to data portability applies where both of the following conditions are met:

- the processing is based on consent or on contractual obligation; and

- the processing is carried out by automated means.

If technically feasible, You shall be entitled to have Your personal data directly transmitted from Us to another controller. The right to data portability may be exercised in a way that does not adversely affect the rights and freedoms of other persons.

8.8. Right not to be subject to a decision based solely on automated processing

You have the right not to be subject to a decision based solely on automated processing including profiling, which produces legal effects concerning You or similarly significantly affects You, unless the grounds provided for doing so in the applicable personal data protection legislation are in place and appropriate safeguards to protect your rights, freedoms and legitimate interests are provided.

Upon registration in the Application through automated identification on the basis of your explicit consent and in view of conclusion of Your Contract with Evrotrust a decision based solely on automated processing of your personal data (incl. biometric data) is made which produces significant legal effects for You – confirmation of Your identification and issuance of QCQES. The appropriate safeguards provided for your rights, freedoms and legitimate interests in this regard are as follows:

• If you do not wish to be subject to a such decision, you may pass through an identification at an office of Evrotrust’s Registration Authority (i.e. be identified through an appearance in person);

• In case of unsuccessful automated identification – human intervention through real-time video conference call via the Application between You and operator of Evrotrust’s Registration Authority;

• In case of successful automated identification

In addition to safeguard your rights and interests after successful automated identification, the record from the video identification shall passed through an additional human verification by an operator of the Registration authority. For the same reason, Evrotrust stores all collected data and records during an unsuccessful identification for a period of up to 2 months from the date when it was made.

8.9. Right to withdrawal of consent

You have at any time the right to withdraw your consent to personal data processing if the respective processing is based on the consent given by You. Such withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

8.10. Right to object

You have the right to object at any time and on grounds relating to Your particular situation, to processing of Your personal data which is based on public interest, exercise of official authority or Evrotrust or of a third party. In the event of such an objection, we will examine Your request and, if justified, we will comply with it. If we consider that there are compelling legitimate grounds for the processing or that it is necessary for the establishment, exercise or protection of legal claims, we will inform You accordingly.

8.11. Exercise of rights

The rights described above may be exercised at any time using the functionalities available in the Application, or you may send a written request to the Evrotrust’s DPO – by mail to the contact address or by e-mail to the email address specified in item 1 of this Policy, in accordance with the procedure laid down by the applicable legislation.

8.12. Right to lodge a complaint with a supervisory authority

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of Your habitual residence, place of work or place of the alleged infringement if You consider that the processing of Your personal data infringes this Regulation or other applicable personal data protection requirements.The supervisory authority in the Republic of Bulgaria is the Commission for Personal Data Protection, address: Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd., Website: https://www.cpdp.bg/.

You can find information about the supervisory authorities of other Member States here.

9. HOW DO WE PROTECT YOUR PERSONAL DATA?

We will take all necessary steps, including technical and organisational measures tailored to the level of risk to the processing carried-out by us to safeguard the security of Your personal data so as to prevent accidental or unlawful destruction, loss, alteration, unlawful disclosure, access, or other illegal or undesirable event that could endanger the security of personal data processed by us.

10. WHO CAN YOU CONTACT IN REGARDS YOUR PERSONAL DATA PORCESSING AND EXERCISE OF YOUR RIGHTS? OUR DATA PROTECTION OFFICER

You may address all your requests and questions relating to the protection of your personal data and the exercise of your rights under personal data protection law to our DPO:

telephone: (+359 2) 448 58 58

e-mail address: dpo@evrotrust.com

Address: Sofia, 1766, Business center MM, floor 5, „Okolovrasten pat“ 251G

11.CHANGES TO THE POLICY

We may update this Policy from time to time in order to reflect any changes in the processing of your personal data or to comply with changes in current legislation.

All changes which we may further make will be published in the Application as well as on the website: www.evrotrust.com

The Privacy Policy was last updated on 15th January, 2022.

This document has been published on Evrotrust’s website on the internet in Bulgarian and in English language. In case of any discrepancy between the Bulgarian and the English text, the Bulgarian text takes precedence.