PRIVACY POLICY

1. GENERAL PROVISIONS

1.1. This Privacy Policy (hereinafter — the "Policy") governs the collection, use, storage and protection of personal data of visitors and users of the website with the domain name gladdrop.tv (hereinafter — the "Website").

1.2. The data controller is GLADDROP LTD — a company registered in England and Wales under number 17214115 (hereinafter — the "Company", "we", "us").

1.3. This Policy has been developed in accordance with the requirements of:

• UK General Data Protection Regulation (UK GDPR) and UK Data Protection Act 2018 — with respect to data of UK residents;
• Regulation (EU) 2016/679 (EU GDPR) — with respect to data of residents and data subjects located in EU/EEA Member States;
• Privacy and Electronic Communications Regulations 2003 (PECR) — with respect to the use of cookies and electronic marketing communications;
• ePrivacy Directive 2002/58/EC — with respect to data subjects in the EU;
• Law of Ukraine "On Personal Data Protection" of 1 June 2010 — in relation to the processing of personal data of individuals residing or located in Ukraine.

1.4. The terms "personal data", "processing", "controller", "processor", "data subject", "consent", "legitimate interest" are used in the meanings defined in the UK GDPR and EU GDPR.

1.5. Please read this Policy carefully before using the Website.

2. DEFINITIONS OF TERMS

2.1. Personal data — any information relating to an identified or identifiable natural person (data subject).

2.2. Processing — any operation or set of operations performed on personal data: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2.3. Controller — GLADDROP LTD, which determines the purposes and means of processing personal data.

2.4. Processor — a natural or legal person who processes personal data on behalf of the Controller.

2.5. Data Subject / User — an identified or identifiable natural person whose personal data is processed (a Website Visitor and/or a registered User).

2.6. Website — the website with the domain name gladdrop.tv.

2.7. Cookies — small text files placed on the User's device for the purposes described in Section 8 of this Policy.

2.8. UK GDPR — the UK General Data Protection Regulation as incorporated into UK law by virtue of the European Union (Withdrawal) Act 2018, as amended by the Data Protection Act 2018.

2.9. EU GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

2.10. ICO — Information Commissioner's Office, the supervisory authority for data protection in the United Kingdom.

3. CATEGORIES OF PERSONAL DATA COLLECTED

3.1. Data provided directly by the User:

• First name and last name;
• Email address;
• Contact phone number;
• Delivery address / billing address;
• Payment data (processed exclusively through certified PCI DSS payment services; the Company does not store full payment card details);
• Data necessary for invoicing and accounting;
• Content of correspondence with the Company (messages to support service, emails).

3.2. Data collected automatically:

• IP address and approximate geographical location;
• Device type, operating system, browser type and version;
• Referrer URL and exit pages;
• Language and regional settings;
• Date, time and duration of the visit; pages viewed;
• Actions on the Website (clicks, scrolling, form filling);
• Cookie identifiers and similar technical identifiers (subject to consent in accordance with Section 8).

3.3. Data obtained from third parties:

We may receive personal data from:

• payment providers — confirmations of transactions;
• analytical services (Google Analytics) — aggregated and/or anonymised data about interaction with the Website (subject to your prior consent to analytical cookies).

3.4. Special categories of data:

The Company does not collect or process special categories of personal data. In the event that the provision of such data is necessary for a specific service, the Company shall obtain a separate explicit consent of the data subject prior to the commencement of any processing.

3.5. Children:

The Website is not intended for persons under 16 years of age. We do not knowingly collect personal data of children. If we become aware that a child's data has been collected without appropriate authorization, we will delete it immediately.

4. LEGAL BASES FOR PROCESSING PERSONAL DATA

In accordance with Article 6 of the UK GDPR and EU GDPR, we process your personal data on the following legal bases:

5. DISCLOSURE OF PERSONAL DATA TO THIRD PARTIES

5.1. We transfer your personal data to third parties only in the cases specified below and exclusively on the basis of concluded Data Processing Agreements (DPAs) or Standard Contractual Clauses (SCCs).

5.2. Categories of recipients:

• Payment providers — to process transactions (acting as independent controllers or processors in accordance with PCI DSS);
• Cloud infrastructure and hosting providers — to ensure the operation of the Website;
• Postal and courier services — to organize delivery of orders;
• Marketing and analytical platform providers — to send newsletters and analyze the Website (subject to your consent);
• State authorities and law enforcement agencies — upon legal request in accordance with the applicable law of the UK or EU.

5.3. In the event of restructuring, merger, or acquisition of the Company, personal data may be transferred to the successor subject to compliance with the UK GDPR / EU GDPR and notifying you thereof.

5.4. We do not sell or transfer personal data to third parties for their own marketing purposes without your explicit consent.

6. INTERNATIONAL TRANSFERS OF PERSONAL DATA

6.1. Some of our service providers may be located or process data outside the United Kingdom or the EEA. In such cases, the transfer is carried out on the basis of one of the following mechanisms: Adequacy Decision; Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914); UK International Data Transfer Agreement (IDTA) approved by the ICO; or Binding Corporate Rules (BCRs).

6.2. Regarding transfers between the UK and the EU/EEA: The UK is recognized by the European Commission as a country with an adequate level of data protection (Adequacy Decision of 28 June 2021). Accordingly, the transfer of personal data between the UK and the EU is carried out without additional safeguards.

6.3. Regarding data subjects from Ukraine — transfer of personal data to/from Ukraine:

• Ukraine is not included in the list of countries with an adequate level of data protection either by the United Kingdom (UK Adequacy Regulations) or by the European Commission (as of the effective date of this Policy).
• The transfer of personal data to/from Ukraine is carried out on the basis of the Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) and/or the UK International Data Transfer Agreement (IDTA) approved by the ICO — depending on which jurisdiction applies.
• In accordance with Article 29 of the Law of Ukraine "On Personal Data Protection", the transfer of personal data to the United Kingdom and EU/EEA member states is lawful, as these jurisdictions ensure an adequate level of protection.
• The Company takes all reasonable measures to ensure that recipients of personal data of Ukrainian data subjects comply with protection standards equivalent to the requirements of the UK GDPR / EU GDPR.

6.4. For more information on protection mechanisms for international data transfers, please contact us using the contact details in Section 14.

7. DATA RETENTION PERIODS

7.1. We store your personal data for no longer than is necessary to achieve the purposes of processing or to meet the requirements of applicable law.

7.2. Upon expiration of the retention period, personal data is securely deleted or anonymised.

8. COOKIES AND SIMILAR TECHNOLOGIES

8.1. Legal Basis: In accordance with the Privacy and Electronic Communications Regulations 2003 (PECR) and the ePrivacy Directive 2002/58/EC, we place non-essential cookies only after obtaining your explicit, free, specific, informed, and unambiguous consent (your consent is recorded via the Cookie Consent Banner / Cookie Preference Centre upon your first visit to the Website).

8.2. Categories of cookies:

8.3. Managing Cookies: You can review and change your cookie preferences at any time via the Cookie Preference Centre on the Website, as well as through your browser settings. Withdrawal of consent to non-essential cookies will not affect the lawfulness of their prior processing.

8.4. Google Analytics: When you consent to analytical cookies, we use Google Analytics with the IP anonymisation function activated. You can install the Google Analytics opt-out browser add-on: https://tools.google.com/dlpage/gaoptout.

9. MARKETING COMMUNICATIONS

9.1. Legal Basis: We send marketing emails exclusively on the basis of your explicit and separate prior consent obtained in accordance with the requirements of PECR (Regulation 6) and the EU GDPR. The "I agree" checkbox cannot be pre-ticked.

9.2. Content of mailings: New products and services, promotions, special offers, useful information.

9.3. Right to Unsubscribe: You can withdraw your consent and unsubscribe at any time:

• by clicking the "Unsubscribe" link in each marketing email;
• by sending a request to the contact details in Section 14.

9.4. We stop sending marketing messages immediately upon receipt of the unsubscribe request (in any case, no later than 10 business days). Unsubscribing does not affect transactional emails (order confirmations, delivery notifications).

10. SECURITY MEASURES

10.1. The Company implements technical and organizational measures in accordance with Article 32 of the UK GDPR / EU GDPR to ensure a level of security appropriate to the risk, including:

• encryption of data in transit (TLS/SSL) and at rest;
• pseudonymisation of personal data where appropriate;
• restriction of access on a need-to-know basis;
• regular testing and evaluation of the effectiveness of security measures;
• staff training in the field of personal data protection;
• procedures for responding to data security breaches (Data Breach Response Plan).

10.2. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects, the Company shall notify the ICO (and/or the relevant EU supervisory authority) no later than 72 hours after becoming aware of the incident. In case of high risk, we will also directly notify the affected Users.

10.3. Despite the measures taken, no system of data transmission over the Internet is completely secure. We recommend that you use strong passwords and do not disclose account credentials to third parties.

11. RIGHTS OF DATA SUBJECTS

11.1. In accordance with the UK GDPR and EU GDPR, you have the following rights:

11.2. Period for Consideration of Requests: We respond to all legitimate requests within one (1) month from the date of receipt. In complex or multiple requests, the period may be extended by another two months (with notification to you within the first month).

11.3. A request is sent to the contacts in Section 14 and must contain: Your first name and last name; contact details; essence of the request; means of identification (to confirm identity).

11.4. Subject Access Request (SAR) services are provided free of charge. In case of manifestly unfounded or excessive requests, we reserve the right to charge a reasonable fee or refuse to act on the request.

11.5. If you believe that the processing of your personal data violates applicable law, you have the right to lodge a complaint with the relevant supervisory authority:

• Information Commissioner's Office (ICO) — the UK supervisory authority: www.ico.org.uk | tel. 0303 123 1113;
• The supervisory authority of the EU Member State of your habitual residence or place of work (if you are in the EU);
• The Ukrainian Parliament Commissioner for Human Rights (Ombudsman) — if you are a data subject residing or located in Ukraine: 21/8 Instytutska St., Kyiv, 01008 | hot-line@ombudsman.gov.ua | tel. 0800-501-720 (free of charge).

11.6. We encourage you to first contact us to resolve the issue before filing a complaint with the regulator.

12. SPECIAL PROVISIONS FOR DATA SUBJECTS FROM UKRAINE

12.1. This section applies in addition to the rest of the provisions of this Policy in cases where the data subject is a natural person residing or located in Ukraine, or when the processing of personal data falls under the scope of the Law of Ukraine "On Personal Data Protection" of 1 June 2010 (hereinafter — the "Law").

12.2. Bases for Processing under the Law of Ukraine. The processing of personal data is carried out on the basis of Article 11 of the Law, in particular:

• consent of the data subject to the processing of their personal data;
• necessity of performing a contract to which the data subject is a party;
• necessity of protecting the legitimate interests of the Company or third parties;
• performance of the Company's obligations defined by law.

12.3. Rights of Data Subjects under Ukrainian Law. In addition to the rights specified in Section 11 (UK GDPR / EU GDPR), data subjects located in Ukraine have the following rights under Article 8 of the Law:

• to know about the location of the personal data base containing their personal data, its purpose and name, location and/or place of residence (stay) of its owner or processor;
• to receive information about the conditions for granting access to personal data, in particular information about third parties to whom personal data are transferred;
• to access their personal data and receive a copy thereof;
• to submit a motivated demand to change or destroy their personal data by any owner and processor of personal data if these data are processed unlawfully or are inaccurate;
• to protect their personal data from unlawful processing and accidental loss, destruction, damage due to deliberate concealment, failure to provide or untimely provision;
• to lodge complaints regarding the processing of their personal data with the Ukrainian Parliament Commissioner for Human Rights or with a court;
• to apply legal remedies in case of violation of legislation on personal data protection;
• to enter reservations regarding the restriction of the right to process their personal data when granting consent;
• to withdraw consent to the processing of personal data;
• to know the mechanism of automatic processing of personal data;
• to be protected against an automated decision that has legal consequences for them.

12.4. Procedure for Exercising Rights. Requests regarding the exercise of rights under the Law of Ukraine are sent to the contact details specified in Section 14. The Company considers such requests within the time limits provided by the Law, namely — no later than 30 (thirty) calendar days from the date of receipt of the request, unless another period is provided by Ukrainian law for a specific category of requests. In case of refusal to satisfy the request, the Company provides a motivated written response indicating the grounds for refusal.

12.5. Registration of the Personal Data Base. In accordance with the Law of Ukraine "On Personal Data Protection", the Company, as a foreign owner of a personal data base processing data of Ukrainian subjects, takes measures to ensure compliance with the requirements of the Law, in particular regarding notifying data subjects about the processing of their personal data and the bases for such processing.

12.6. Language of the Document. This Policy is drawn up in English as the primary language. The Ukrainian version is an official translation. In the event of any conflict between the English and Ukrainian versions of the Policy, the English version shall prevail.

13. CHANGES TO THE POLICY

13.1. We reserve the right to update this Policy. We will notify you of material changes by:

• posting the updated Policy on the Website indicating the new effective date;
• sending a notification to your email address (for registered Users) — no later than 30 days before the entry into force of changes that significantly affect the data processing or your rights.

13.2. If new terms of data processing require your separate consent (for example, new purposes of processing), we will request such consent in accordance with the established procedure.

13.3. Continued use of the Website after the entry into force of changes that do not require separate consent means their acceptance.

14. CONTACT INFORMATION

14.1. For all questions related to the processing of personal data and the exercise of your rights, please contact the Company:

15. GOVERNING LAW AND DISPUTE RESOLUTION

15.1. This Policy is governed by and construed in accordance with the laws of England and Wales.

15.2. For data subjects located in EU Member States, the provisions of the EU GDPR and the relevant national law of the EU Member State also apply.

15.3. For data subjects residing or located in Ukraine, the provisions of the Law of Ukraine "On Personal Data Protection" of 1 June 2010 also apply to the extent that they do not conflict with this Policy. In the event of a conflict of laws, priority shall be given to the legislation that affords the data subject a greater degree of protection.

15.4. All disputes arising in connection with this Policy shall be subject to the jurisdiction of the courts of England and Wales, unless otherwise required by mandatory provisions of EU law, Ukrainian law or the law of the User's country of habitual residence. Data subjects from Ukraine retain the right to apply to the courts of Ukraine or to the Ukrainian Parliament Commissioner for Human Rights in the manner prescribed by the Law.

16. FINAL PROVISIONS

16.1. The invalidity of any individual provision of this Policy shall not affect the validity of the remaining provisions or of this Policy as a whole.

16.2. This Policy is a public document. The current version is always published on the Website.

16.3. This Policy enters into force on 18 May 2026.