Personal Information Protection Policy for [loopamid TexTracker]

This Policy applies only to loopamid TexTracker (the “System”) BASF (China) Company Ltd.

Last update date: 06072024.

If you have any queries, comments or suggestions, please contact us via the following means:

This Policy will help you understand the following:

Rules on collection and use of Personal Information for Business Function
How do we protect your Personal Information
Your rights
How is your Personal Information transferred globally

BASF China is fully aware of the importance of your Personal Information to you and will do our utmost to protect the security and reliability of your Personal Information. We are committed to maintaining your trust in us, and abide by the following principles in our efforts to protect your Personal Information: commensurability of powers and responsibilities, clear purpose, consent, minimum necessary, security assurance, engagement of Subjects, openness and transparency, etc. In the meanwhile, BASF China undertakes to take appropriate security protection measures to protect your Personal Information according to the established industry-specific security standards.

Please read carefully and understand this Personal Information Protection Policy before using our System.

1. What Personal Information do we collect?

The functionalities provided by this system rely on certain information from you in order to operate. If you choose to use these functionalities, you will need to provide and allow us to collect the necessary information, which includes:

1.1

Email address: This information is used for registration and logging into the system.

1.2

Phone number and name: This information is used for registration and logging into the system.

1.3

Camera access: This permission is used for scanning the QR codes of recyclable items and for taking photos of recyclable items. You need to allow access to the camera to proceed with scanning and photographing.

1.4

Photo album access: This permission is used for saving and uploading photos of recyclable items. You need to allow access to the photo album to proceed with the scanning steps.

1.5

Location access: This permission is used to record the location information of recyclable items. The system will grant GPS access, and you need to allow access to GPS to proceed to the next step.

1.6

Access device attribute information (SN, system customizer): This permission is used to distinguish whether the current device is a handheld terminal printer (referred to as PDA) or a regular mobile device.

Please note, when you enable any permission, you authorize us to collect and use the relevant personal information to provide the corresponding services. Once you disable any permission, you revoke the authorization, and we will no longer collect or use the related information, nor can we provide the services requiring that permission. However, your decision to disable a permission will not affect the collection and use of information prior to the disabling of the permission (and revocation of the authorization).

2.How do we use your Personal Information?

We will use the necessary Personal Information to provide this Business Function, including assigning an individual User ID and contacting you to give you access to the System and updating this Policy, as well as to maintain and improve this Business Function, develop new Business Functions, and so forth. We will not use your Personal Information for advertising purposes without prior consent.

3.How do we share, transfer and publicly disclose your Personal Information?

(1)

Sharing

We will not share your Personal Information with any company, organization or individual other than this Company and Affiliates of this Company, unless we have obtained your explicit consent. “Affiliate” shall mean, with respect to this Company, any entity which, directly or indirectly, controls, is controlled by or is under the common control with the Party. An entity shall be deemed to control another person if the controlling person possesses, directly or indirectly, ownership of at least fifty percent (50%) of the equity shares of such an entity or has the power to direct the management of such an entity. We may share your Personal Information externally in accordance with laws and regulations or as required by government authorities.

(2)

Delegated processing

We will delegate IBMix Berlin to process your Personal Information for purposes of providing this Business Function, including assigning an individual User ID and contacting you to give you access to the System and updating this Policy, as well as to maintain and improve this Business Function, develop new Business Functions, and so forth. We will not use your Personal Information for advertising purposes without prior consent.

We will sign strict data processing agreement with IBMix Berlin we have engaged to process Personal Information, and require them to process Personal Information according to our requirements, this Personal Information Protection Policy and any other related confidentiality and security measures.

(3)

Public Disclosure

We will publicly disclose your Personal Information only under the following circumstances:

Upon obtaining your Explicit Consent;

Disclosure according to law: We may disclose your Personal Information publicly if required by laws, legal procedures, or litigation or government authorities.

4.How do we protect your Personal Information?

(1)

We have employed security protection measures that meet industry standards to protect the Personal Information provided by you and prevent such data from unauthorized access, public disclosure, use, modification, damage or loss. We will take all reasonable and feasible measures to protect your Personal Information.

(2)

We will take all reasonable and feasible measures to ensure that no irrelevant Personal Information is collected. We will retain your Personal Information only for such period as necessary to achieve the purposes specified in this Policy, unless extension of the retention period is needed or permitted by law.

(3)

The Internet environment is by no means 100% secure. We will do our best to ensure or guarantee the security of any information you send to us. If our physical, technical, or management safeguards are damaged, resulting in unauthorized access, public disclosure, tampering or destruction of any information and therefore causing any damage to your legitimate rights and interests, we will bear the corresponding legal responsibilities therefor.

(4)

After any Personal Information security incident occurs, we will inform you of the following in a timely manner as required by laws and regulations: the basic situation and possible impact of the security incident, measures we have taken or will take to handle the incident, suggestions on the steps you can take independently to prevent and reduce any risks, remedies available to you, etc. We will promptly notify you of the incident-related information by email, letter, phone, push notification or other means. Where it is difficult to inform the Personal Information Subjects individually, a public announcement will be released in a reasonable and effective manner.

In the meanwhile, we will report the handling of Personal Information security incidents according to the requirements of regulatory authorities.

5.Your rights

We will, in accordance with the relevant Chinese laws, regulations and standards, and the common practices in other countries and regions, guarantee that you can exercise the following rights with respect to your Personal Information:

(1)

Right of access to your Personal Information

You have the right of access to your Personal Information, except as otherwise provided by laws and regulations. You can send an email to loopamid_Textracker@basf.com to request the record of your personal data.

We will respond to your request for access within 30 days.

With respect to other Personal Information generated during your use of our products or services, we will provide such information to you as long as this is not excessively onerous for us. If you want to exercise the right of access to data, please send an email to: loopamid_Textracker@basf.com

(2)

Right to correct your Personal Information

Where you find any error in your Personal Information processed by us, you have the right to require us to make corrections. You can file a request for correction by the means listed in “(1) Right of access to your Personal Information”.

We will respond to your request for correction within 30 days.

(3)

Right to delete your Personal Information

You can make a request for deletion of your Personal Information where:

Our processing of your Personal Information violates any laws or regulations;

We have collected or used your Personal Information without your consent;

Our processing of your Personal Information violates the agreement with you;

You no longer use our products or services, or you have cancelled your account;

We no longer provide products or services for you.

If we decide to respond to your request for deletion, we will also notify the entities that have obtained your Personal Information from us and require them to delete such information in a promptly manner, except as otherwise provided by laws and regulations, or unless these entities have obtained consent from you separately.

Where your Personal Information has been deleted from our service system, we may not delete the corresponding information from the backup system immediately but will instead delete such information when the backup system is updated.

(4)

Right to change the scope of your consent

Each Business Function needs certain basic Personal Information to be realized. For the collection and use of additional Personal Information, you can give or withdraw your consent at any time.

You can give or withdraw your consent in the following way:.email to loopamid_Textracker@basf.com

If you withdraw your consent, we will cease processing the corresponding Personal Information. However, your decision to withdraw your consent will not affect our previous Personal Information processing activities carried out under your authorization.

(5)

Right of Personal Information Subjects to cancel their accounts

You can cancel your previously registered account at any time in the following way : email to loopamid_Textracker@basf.com

After your account has been cancelled, we will stop providing products or services for you and delete your Personal Information at your request, unless otherwise provided by laws and regulations.

(6)

Right of Personal Information Subjects to obtain copies of their Personal Information

You have the right to obtain a copy of your Personal Information in the following way: email to loopamid_Textracker@basf.com

Where technically feasible, if the data interface is matched, we can also transmit a copy of your Personal Information directly to a third party designated by your at your request.

(7)

Restrictions on automated decision-making of information systems

In some Business Functions, we may make decisions based solely on non-manual automated decision-making mechanisms including information systems, algorithms, etc. If these decisions significantly affect your lawful rights and interests, you have the right to require us to offer an explanation, and we will also provide appropriate remedies to you.

(8)

Responding to your requests

To ensure security, you may need to submit a written request or otherwise prove your identity. We may ask you to verify your identity before processing your requests.

We will respond to your requests within thirty days. If you are dissatisfied with our response, you can also lodge a complaint through the following channels: email to loopamid_Textracker@basf.com

In principle, we do not charge a fee on any reasonable requests made by you, but for repeated requests that exceed reasonable limits, we will charge a certain cost-based fee as appropriate. We may reject unreasonably repetitive requests that require excessive technical means (for example, the development of a new system or fundamental change of existing practices), pose a risk to the legitimate rights and interests of others or are extremely impractical (for example, involving any information stored on backup tapes).

We will be unable to respond to any request submitted by you if:

It is related to the performance by the Personal Information Controller of the obligations provided by laws and regulations;

It is directly related to national security or national defense;

It is directly related to public safety, public health, and significant public interests;

It is directly related to criminal investigation, prosecution, trial, enforcement of judgments and the like;

The Personal Information Handler has sufficient evidence to prove that the Personal Information Subject is subjectively malicious or has engaged in the abuse of power;

It is necessary for protecting the life, property or other major lawful rights and interests of the Personal Information Subject or other individuals, and it is difficult to obtain their consent;

Responding to such request would seriously undermine the lawful rights and interests of the Personal Information Subject or other individuals or entities;

Trade secrets are involved.

6.How is your Personal Information transferred globally

In principle, the Personal Information we collect and generate within the territory of the People’s Republic of China will also be stored within the territory of the People’s Republic of China.

We provide products or services with resources and servers deployed across the world, which means that with your consent, your Personal Information may be transferred to the overseas jurisdictions (countries/regions) where you use our products or services, or be accessed from such jurisdictions.

Such jurisdictions may have different data protection laws, or even have no relevant laws. In such cases, we will ensure that your Personal Information is adequately protected to the same degree it is protected in the People’s Republic of China. For example, we will seek your consent for cross-border transfer of Personal Information, or implement de-identification and other security measures prior to cross-border data transfer.