This document regulates the internal policies of personal data protection of the company PUZZLE and covers the most important aspects regarding the proper management and protection of personal data.

1. Objectives
The main objectives of this Data Privacy Policy are: 
• To ensure that all personal information in Puzzle’s custody is adequately protected against threats.
• To ensure that Puzzle employees are fully aware of the contractual, legal or regulatory implications of any privacy breaches.
• Ensure that all third parties who collect, store and process personal information on Puzzle’s behalf provide adequate data protection.
• Ensure that applicable regulations and contracts are complied with in relation to the maintenance of privacy, protection and cross-border transfer of personal information.

2. Terms and Definitions
• Anonymize: To process a collection of personal data or information in such a way that a natural person cannot be identified on the basis of the data or information collection.
• Data Subject: A living individual about whom personal information is processed by or on behalf of Puzzle or a Third Party Data Controller.
• Personal Data or Personal Information: Any information that relates to a natural or legal person, which directly or indirectly, in combination with other available information, is capable of identifying that person.
• Third parties: All external entities – including, but not limited to, suppliers, distributors, service providers and partners – that have access to Puzzle’s information assets, information systems or that transmit personal information from them.
• Third Party Personal Data Controllers. All external entities – including, but not limited to, suppliers, distributors, service providers and customers authorized to process personal data by natural or legal persons.

3.Principles
In the processing of personal data, Puzzle adopts actions aimed at preserving the following basic principles:

• Principle of lawfulness
Puzzle will take the necessary actions to ensure that the personal data it collects, stores and processes from Data Subjects are processed lawfully and fairly. To this end, it shall pay particular attention to:
A. the obtaining of the data subject’s consent or, as the case may be, the existence of any other condition of lawfulness of processing provided for in the applicable legislation.
B. the necessity of the processing and the legitimate purpose of the processing. Personal data shall be collected for legitimate purposes and shall not be further processed in a way incompatible with those purposes.

• Principle of transparency
Puzzle shall take the necessary measures to ensure that Data Subjects are provided with easily accessible and intelligible information about the personal data it collects, stores and processes.
Among other measures, the following information will be provided to all Data Subjects:
A. Type of information collected.
B. How the information is collected.
C. Purpose for collecting the information.
D. Time period and conditions of conservation of the personal data.
E. Conditions for the transfer of the information.

• Principle of commitment to the rights of the data subject
Puzzle must provide Stakeholders with clear and simple tools and/or procedures to guarantee and ensure the correct exercise of the rights of the Stakeholder according to the applicable legal system, such as the right of access, rectification, deletion, opposition, the right to withdraw consent at any time and the right to file complaints.

Puzzle guarantees the Stakeholders the following rights:
A. Right of access: this is the right of the Data Subject to obtain confirmation of whether or not Puzzle is processing their personal data and, if so, to obtain information about their specific personal data and the processing that Puzzle has carried out or is carrying out, as well as,
among others, the information available on the origin of such data.
B. Right of rectification: This is the right of the Data Subject to have his or her personal data amended if it proves to be inaccurate or, taking into account the purposes of the processing, incomplete.
C. Right of erasure (“the right to be forgotten”): This is the right of the data subject, insofar as the legislation in force does not provide otherwise, to obtain the erasure of his personal data when they are no longer necessary for the purposes for which they were collected or processed; to withdraw his consent to the processing if this has no other lawful basis; to object to the processing if there is no other legitimate reason to continue the processing.

• Principle of limitation of the storage period
Puzzle will not retain the Data Subject’s personal data beyond the periods for which it can be justified in accordance with the applicable law of each jurisdiction.
• Principle of security of processing Puzzle, at any stage of the processing cycle, apply appropriate technical and organizational measures to ensure a level of security appropriate to the risk to which the personal data may be exposed and in any case, in accordance with the security measures established in the law in force in each of the countries and / or regions in which it operates and internal security regulations. If at any time this security is compromised, Puzzle will act quickly and responsibly informing stakeholders about the situation occurred.
Also, Puzzle will protect at all times the confidentiality of the data of data subjects, in accordance with the internal rules of classification and processing of information.
As far as possible, Puzzle will receive anonymized data from third parties responsible for personal data.

4. Conditions for consent
Puzzle will provide the interested parties with clear and transparent information about the use and storage of their personal data, so that they can freely, specifically, informed and unequivocal consent on the processing of the same to be carried out.

5. Security Practices for Privacy
• Puzzle’s information security policy and procedures are documented and implemented to ensure the reasonable security of personal information collected, stored, used, transferred and disposed of by Puzzle.
• Puzzle establishes procedures that maintain the physical and logical security of personal information.
• Puzzle establishes and maintains protocols and procedures for responding to security incidents involving personal data or privacy practices.

6. Disclosure to Third Parties and External Transfers
• Personal information will be disclosed to third parties only for legitimate and identified business purposes, with the consent of the data subjects obtained in advance, unless otherwise permitted or required by law or regulation.
• Where reasonably possible, Puzzle will ensure that third parties who are responsible for collecting, storing or processing personal information on Puzzle’s behalf have:
o Signed agreements to protect personal information in accordance with Puzzle’s Data Privacy Policy or measures implemented as prescribed by law;
o Signed confidentiality agreements or agreements that include privacy clauses in the contract; and
o Procedures in place to comply with the terms of your agreement with Puzzle to protect personal information.

• Personal information may be transferred out of the location where Puzzle carries out storage or processing, in any of the following cases:
o The individual has consented to the transfer of information.
o The transfer is necessary for the performance of a contract between the Data Subject and Puzzle.
o The transfer is necessary or legally required for important reasons of public interest or for the recognition, exercise or defense of a right in legal proceedings.

7. International Transfer of Data
The information provided by Stakeholders may be transferred internationally to third parties for processing in accordance with the requirements established by the applicable legislation in each country and/or region, and international agreements, where the transfer is made.

8. Privacy in the supply chain
Puzzle, will contractually ensure that any supplier acting under its authority and has access to personal data of Stakeholders of its ownership, can only process such data on its instructions and, in any case, securely by adopting the necessary technical and organizational security
measures and full compliance with the applicable legal system and internal regulations.
Thus, Puzzle will prioritize the choice of those suppliers that ensure compliance with data protection legislation applicable to the treatment entrusted and, in addition, this policy.

9. Requirements of competent authorities
Puzzle is subject to the legal environments in which it operates, so it must, in exceptional circumstances and always expressly provided for in national laws, respond to requests from the competent authorities relating to certain information about the communications of its customers and / or users.

10. Data Protection Officer.
The Company has Nicolás López Franco as Data Protection Delegate, who has a Master in Data Protection Data Protection Officer (DPO) from the Antonio de Nebrija University of Spain.

11. Version and document control
Version 1. Effective date: November 9, 2022.