This Privacy Policy applies to the following companies, acting as Data Controllers for the personal data they collect and process within their activities:

SYNERE, LDA., headquartered at Rua da Zona Industrial, n.º 420, 4580-565 Lordelo, Portugal, with registration and tax identification number 509413692;

INOVOCORTE, S.A., headquartered at Rua da Zona Industrial, n.º 420, 4580-565 Lordelo, Portugal, with registration and tax identification number 517858274;

MUVV FORWARD, S.A., headquartered at Rua da Zona Industrial, n.º 420, 4580-565 Lordelo, Portugal, with registration and tax identification number 517856123;

BOLDMAQ, S.A., headquartered at Rua da Zona Industrial, n.º 420, 4580-565 Lordelo, Portugal, with registration and tax identification number 518231135.

These companies are part of the SYNERE Group (hereinafter, SYNERE).

1. Framework

This Privacy Policy establishes the commitment of all companies within the Group to the protection of personal data. For GDPR purposes, Data Controller responsibility lies with the company that collects the data (the legal entity whose website or service you are using), except when the Group acts as Joint Controllers (see 'Data Sharing within the Group' section).

SYNERE aims to strengthen and consolidate the relationship of trust and proximity it maintains with its stakeholders (e.g., clients, employees, suppliers, shareholders, and investors) through clear and transparent communication about what it does with this data, the rights it recognizes for data subjects, and how to exercise them.

SYNERE acts in strict compliance with the principles described in this policy, Regulation (EU) 2016/679 (General Data Protection Regulation - GDPR), and applicable data protection legislation in all personal data processing activities under its responsibility.

This Privacy Policy is part of SYNERE's personal data protection regulatory framework, which includes standards and procedures for managing the security and privacy of personal data. SYNERE processes personal data through various operational and technical means to support its business process activities.

SYNERE shares personal data among its companies, identified above, when necessary to pursue its legitimate interests. SYNERE has a legitimate interest in managing its activities efficiently and centrally, ensuring business cohesion and service quality.

A. Objectives

The Privacy Policy, as a communication instrument, has the following main objectives:

• Strengthen and consolidate SYNERE's relationship of trust and proximity with all its stakeholders;
• Demonstrate transparency regarding the purposes and lawful bases of processing activities carried out by SYNERE, as well as the retention periods for personal data involved;
• Inform data subjects of their rights regarding data protection and how they can exercise them;
• Inform data subjects who the responsible persons at SYNERE are that they can contact to exercise their rights or clarify how their personal data is processed.

B. Scope of Application

This Privacy Policy applies exclusively to the processing of personal data carried out by SYNERE within the context of the stated purposes.

For the purposes of this policy, personal data means any information relating to an identified or identifiable natural person (data subject). An identifiable person is one who can be identified, directly or indirectly, particularly by reference to an identification number or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.

C. Maintenance, Communication, and Application of the Policy

This Privacy Policy must be reviewed annually when circumstances change and whenever there are legislative changes, to validate that it remains current and appropriate given applicable regulations and laws. Proposals for policy revision and supervision of its application and compliance are the responsibility of SYNERE's competent management body.

This policy must be known to all SYNERE employees and must be made available to its stakeholders whenever the processing of their personal data is concerned, through appropriate channels, particularly on SYNERE's website.

2. Privacy Policy Content

A. Our Privacy Commitment

SYNERE operates based on trust and transparency. This commitment translates into our daily relationship with our clients, employees, suppliers, and other stakeholders. The privacy and security of the data you entrust to us are our priority.

It is our commitment to only collect, store, process, transmit, or delete your personal data transparently and only when essential to our relationship.

We will inform you of how and for what purpose we use your personal data, with the guarantee that we collect, share, and store your personal data with reference to best practices in security and data protection.

When your personal data is collected, stored, processed, transmitted, or deleted by other subcontracted entities, we require these entities to maintain the same level of privacy and security.

We want you to feel confident that your personal data is safe with us, as we will always be committed to protecting your privacy, and we take our responsibilities regarding the protection of your personal data very seriously.

Whenever you have any questions about how we use your personal data, we are available to help you through email at marketing@syneregroup.pt.

B. Who is Responsible for Your Personal Data

SYNERE, LDA., as identified above, is the Data Controller for your personal data for centralized Group management purposes, under the General Data Protection Regulation and complementary data protection legislation in force in the countries where it operates.

Each of the companies identified above is part of SYNERE, so your personal data may be transmitted and processed by any of the companies belonging to this Group for internal administrative purposes and based on the Group's legitimate interest.

For all matters relating to the processing of your personal data and the exercise of your rights, you can contact us through:

Email: marketing@syneregroup.pt
Address: Rua da Zona Industrial, n.º 420, 4580-565 Lordelo, Portugal

C. Personal Data We May Collect

In this Privacy Policy, the term "Personal Data" means the set of information that relates to you and allows us to identify you, directly or indirectly. Your personal data may include, for example, your name, tax identification number, and your contact information (physical and/or electronic).

We may also receive your personal data from other companies, particularly when they collect, process, or store it under a service agreement entered into with us.

D. How and Why We Use Your Personal Data and What is the Legal Basis

We use your personal data only for the following specific purposes, based on the respective lawful bases provided in the GDPR:

• Contractual and Commercial Management (e.g., order processing, invoicing, delivery of goods/services);
• Direct Marketing Communications (e.g., sending newsletters, communications);
• Recruitment and Human Resources Management (e.g., processing applications, payroll management);
• Compliance with Legal Obligations;
• Service Improvement and Fraud Prevention.

SYNERE may centralize certain services or business functions (such as Human Resources Management, Customer Support, or Marketing). In these cases, the company providing this centralized service (which may be any SYNERE company) acts as a Data Processor for the other Group companies, always ensuring the application of security and confidentiality measures required by GDPR.

E. How Long We Keep Your Personal Data

We keep your personal data only for the period necessary to fulfill the objectives defined within our relationship and to comply with any legal obligations.

Once the maximum retention period is reached, your personal data will be anonymized or securely destroyed/deleted.

F. With Whom We May Share Your Personal Data

In some cases, we may disclose your personal data to other entities within the scope of services they provide. In such cases, we require that they have appropriate security measures in place to protect your personal data, particularly through a subcontracting agreement.

When required by law, we may have to disclose your personal data to authorities or third parties (e.g., Tax Authority, Courts).

In the case of transfer or access to your personal data by companies that are part of SYNERE or by suppliers/service providers based outside the European Union (EU) or European Economic Area (EEA), we ensure that your personal data is processed in accordance with appropriate security and protection measures. These transfers will only be made if:

• The country in question has an Adequacy Decision from the European Commission; or
• We use Standard Contractual Clauses approved by the European Commission to ensure a level of data protection equivalent to GDPR.

G. How You Can Exercise Your Personal Data Protection Rights

Under certain circumstances, you have the right to access or request from us, at any time and in writing, through email at geral@synere.pt:

• Access to additional information about how we use your personal data;
• Rectification of your personal data;
• Erasure of your personal data ("right to be forgotten");
• Objection to the processing of your personal data (e.g., objection to marketing);
• Restriction of how we use your personal data while we correct it or clarify any doubts;
• Portability of your personal data, so you can transmit it to another entity, if technically possible;
• Withdrawal of consent you have given us to use your personal data.

The exercise of these rights is limited when your personal data is used to safeguard the public interest, particularly in cases of crime detection and prevention, or when it is subject to professional secrecy or legal retention obligations.

Regardless of which SYNERE company is processing your data, you can exercise your rights through email at marketing@syneregroup.pt.

If you are dissatisfied with how we use your personal data or with our response to your request to exercise your rights, you may file a complaint with the National Data Protection Commission (CNPD). You can find contact information at www.cnpd.pt.

H. How We Protect Your Personal Data

SYNERE has a variety of information security measures, aligned with national and international best practices, to protect your personal data. We implement technological controls, administrative measures, technical and physical procedures, and safeguards that ensure the protection of your personal data, preventing its misuse, unauthorized access and disclosure, loss, improper or inadvertent alteration, or unauthorized destruction. We assume the same commitment to continuous improvement in information security that guides us in our daily activities.

Among others, we highlight the following measures:

• Restricted access to your personal data only by those who need it for the objectives we have set above;
• Storage and transfer of personal data only in a secure manner;
• Protection of information systems through devices that prevent unauthorized access;
• Implementation of mechanisms that ensure the safeguarding of the integrity and quality of your personal data;
• Permanent monitoring of information systems to prevent, detect, and impede improper use;
• Equipment redundancy to avoid loss of availability.

I. Updates to this Privacy Policy

This Privacy Policy may be updated from time to time, which will be disclosed through appropriate channels, particularly on SYNERE's website. The date of the last update will appear at the end of the document.

Last Update Date: 14/10/2025