The data controller of the processing of your personal data on the website is: Oterra A/S Address: Agern Alle 24, 2970 Hørsholm, Denmark CVR-no.: 35638784 Email: privacy@oterra.com

1.1 Cookies

Types of personal data Oterra uses cookies on the website www.oterra.com and in this connection processes your personal data. Oterra may collect the following personal data about you when you visit our websites: - IP address - Browser type and version - Time zone setting and location - Browser plug-in types and versions - Operating system and platform - Browsing history - Information about your use of our website, including click-behavior We use cookies to collect the above-mentioned personal data. You can read more about the use of cookies in our Cookie Declaration below. Be informed that Microsoft may collect personal data when you visit our website to provide Microsoft advertising. More information can be found in the Microsoft Privacy Statements: https://privacy.microsoft.com/en-us/privacystatement. The purposes of the processing Your personal data may be processed for the following purposes: - To prepare statistics and analysis for us to understand and improve our website - To promote Oterra, including through cross targeting on LinkedIn Legal basis for processing Oterra processes your personal data on the following basis: - Legitimate interests: We base the processing of your personal data on our legitimate interests in, for example, conducting statistics, analyses, as well as improving and developing our products and services (Article 6(1)(f) of the General Data Protection Regulation). - Consent: We only process your personal data for cross-targeting on LinkedIn if you have provided your consent for this (Article 6(1)(a) of the General Data Protection Regulation). You may withdraw your consent at any time by deleting cookies from your browser (guide availble here). When you visit our website, we ask for your informed consent to place cookies that are not functional cookies according to the cookie rules. You have the right to withdraw your consent at any time (guide available here).

1.2 If you use the contact form on the website, contact customer service or otherwise communicate with us

Types of personal data When using the contact form on our websites, when you contact customer service or otherwise communicate with Oterra through the means stated on our websites, Oterra collects and processes your personal data. Oterra collects, processes, and stores the following types of your personal data: - Name, email address, phone number - The company you are employed with - Country - Area of interest - What your inquiry is about - Date of your inquiry - Whether you are a potential customer, current customer, vendor, distributor, jobseeker, student, media or other We encourage you not to provide sensitive or otherwise confidential personal data such as health information, national identification number, social security number, and sexuality, to us. The objectives of the process Your personal data will be processed for the following purposes: - Handling of your inquiry - General communication - Statistics and analysis Legal basis for processing Oterra processes your personal data on the below-mentioned bases. The basis depends on the nature of your inquiry. - Legitimate interests: We may process your personal data on the basis of our legitimate interests in handling your inquiry, communicating with you, and developing our products and ser-vices (Article 6(1)(f) of the General Data Protection Regulation). - Contractual obligations: If your inquiry concerns a (potential) formation of contract, we process your data to implement measures before the formation of contract (Article 6(1)(b) of the General Data Protection Regulation). Retention period Your personal data will be stored for 1 year after closing of your case. However, the data can be stored for a longer period in anonymized form. If you are a customer or an employee of one of our customers, suppliers, or other business partners, we refer to the section below.

1.3 If you use our store

Types of personal data When you use our store, Oterra processes your personal data. Oterra may collect, process, and store the following types of your personal data: - Your name - Your email address - The company you are employed with - Country - Shipping address and delivery address - Payment information - Information about your order/purchase history - Information you provide when creating a user account/profile (email address and password) - Login information (time, date and IP address) - Digital footprints (e.g., information on how you use Oterra's store) The purposes of the processing Your personal data will be processed for the following purposes: - Completion of orders in Oterra’s store - Managing of shipments - Managing of user account/profile - Statistics and analysis to understand and improve our store and customer purchases Legal basis for processing Oterra processes your personal data on the following basis: - Legitimate interests: We process your personal data based on our legitimate interest in being able to handle orders with the company you work with, manage your profile and conduct statistics and analysis with the purpose of developing and improving our services (Article 6(1)(f) of the General Data Protection Regulation). - Contractual obligations: If you are a one-man business, we process your personal data to ful-fil the contract of purchase with you, including to be able to deliver the ordered goods (Article 6(1)(b) of the General Data Protection Regulation). Retention period As a general rule, we will store your personal data for 3 years after termination of business relation-ship. If you have purchased products covered by a warranty, we will delete your personal data at the end of the warranty period. Information relating to accounting material such as invoices and orders is kept for 5 years from the end of the current financial year. However, we can process your personal data for a longer period in anonymized form.

The data controller of the processing of your personal data in relation to Oterra’s newsletters is: Oterra A/S Address: Agern Alle 24, 2970 Hørsholm, Denmark CVR-no.: 35638784 Email: privacy@oterra.com

2. If you sign up for our newsletter(s)

Types of personal data Oterra collects, processes, and stores your personal data for marketing purposes when you sign up for newsletter(s). Oterra may collect, process, and store the following types of your personal data:

Name and email address - Your consent - Your click-behavior in relation to published material The purposes of the processing Your personal data may be processed for the following purposes: - Marketing, i.e. to promote Oterra’s products and brands and to provide you with such promoting material - Analysis and statistics to understand your interactions with our newsletters and improve our marketing performance Legal basis for processing Oterra processes your personal data on one or more of the following grounds: - Consent: Oterra will only use your personal data for direct marketing, including for sending out newsletters and for statistics and analysis, if you have given your prior and explicit con-sent to this (Article 6(1)(a) of the General Data Protection Regulation). Retention period Your personal data will be stored as long as your consent to receive newsletters is active. You can always withdraw your consent by clicking on the unsubscribe link at the bottom of each email or by contacting us as described below. However, withdrawing your consent does not affect the legality of the processing that preceded the withdrawal. Documentation of your marketing consent is kept for two years from the time you have withdrawn your consent to receive direct marketing material. The retention period is determined based on Oterra's legitimate interest in being able to document that direct marketing has been carried out in accordance with the applicable legislation (Article 6(1)(f) of the General Data Protection Regulation). In addition, the information can be stored for a longer period in anonymized form.

This section contains the policy for Oterra's processing of personal data of sole proprietorship owners or contacts of suppliers and other business partners working with Oterra. The data controller of the processing of your personal data in this regard is the Oterra entity with which you cooperate. If you are in doubt, feel free to contact: Oterra A/S Address: Agern Alle 24, 2970 Hørsholm, Denmark CVR-no.: 35638784 Email: privacy@oterra.com Collection of personal data Oterra may collect, process, and store your personal data in the following cases: - When your company or the company you work at enters into an agreement with Oterra - When you have shown interest in Oterra's products and services, e.g., by providing Oterra with your business card - When cooperating and communicating with Oterra Types of personal data Oterra may collect, process, and store the following types of personal data about you: - Name, email address, phone number, and corresponding contact information - Individual information such as preferred language, currency and country - Organizational information such as the name and address of the company you work with and job title - Contractual information such as orders, invoices, contracts, and other agreements between your company (or your employer) and Oterra that may contain e.g., your contact information - Financial information such as payment terms, bank details, invoices and payments (in the case of a sole proprietorship) We may receive such information directly from you (primarily through emails and other correspondence with you) or from a third party such as your employer. The purposes of the processing Your personal data may be processed for the following purposes: - General planning, fulfilment, and the management of collaborations, including contracts - Administration such as the processing of payments, rating evaluations, accounting, auditing, as well as providing support - Conducting inquiries from you - General communication - Product and service development - Statistics and analysis to understand and improve our business - Handling of claims and conflicts Legal basis for processing Oterra will process your personal data on one or more of the following grounds: - Legitimate interests: We may process your personal data on the basis of our legitimate interests in, for example, managing day-to-day operations in accordance with legitimate and fair business practices, including planning, execution and management of the cooperation or our legitimate interest in, for example performing statistics, analyses, provide support and as well as improvement and development of our products and services. The processing may also be necessary for our legitimate interest in establishing, defending, or asserting legal claims (Article 6(1)(f) of the General Data Protection Regulation). - Contractual obligations: If you are the owner of a sole proprietorship, your personal data may be processed to fulfil our contract with you (Article 6(1)(b) of the General Data Protection Regulation). - Legal obligation: The processing of your personal data will in some cases be necessary for compliance with legal obligations, such as our obligation to store bookkeeping material in accordance with national requirements (Article 6(1)(c) of the General Data Protection Regulation). Retention period Your personal data will be stored for 3 years from termination of the business relationship. Personal data included in bookkeeping material, such as invoices and orders, will be kept for 5 years from the end of the current financial year to ensure compliance with bookkeeping regulation. However, the information may be stored for a longer period in anonymized form.

The data controller of the processing of your personal data in relation to any visits to our physical location is the Oterra entity which you visit. If you are in doubt, feel free to contact: Oterra A/S Address: Agern Alle 24, 2970 Hørsholm, Denmark CVR-no.: 35638784 Email: privacy@oterra.com

4.1 When you deliver or pick up goods at our premises

Types of personal data When you deliver or pick up goods at our physical locations, Oterra processes your personal data through access control and video surveillance. Oterra may collect, process, and store the following types of personal data about you: - Your name - Your employer - Your phone number - License plate - Digital footprints, including information about when you have arrived and departed - Photo and video material related to video surveillance The purposes of the processing Your personal data will be processed for the following purposes: - To give you access to our physical locations - To ensure the safety of our physical locations - To prevent and solve crime in our physical locations Legal basis for processing Oterra processes your personal data on the following basis: - Legitimate interests: We base the processing of your personal data on our legitimate interests in being able to give you access to our physical locations and in protecting our physical locations as well as solving criminal offences (Article 6(1)(f) of the General Data Protection Regulation). Retention period Your personal data collected through access control will be deleted after 90 days. Pictures and video collected through video surveillance will be deleted after 30 days unless the footage contains proof related to criminal offences. However, the information can be stored for a longer period in anonymized form.

4.2 When you visit our office facilities and other buildings

Types of personal data When you visit our office facilities and other buildings, Oterra processes your personal data through video surveillance and guest registration. Oterra may collect, process, and store the following types of personal data about you: - Your name - Your employer - Your email address - License plate - Date and time of your visit - Photo and video material related to video surveillance The purposes of the processing Your personal data will be processed for the following purposes: - To give you access to our office facilities and other buildings - To manage your visit with us - To ensure the safety of our office facilities and other buildings - To prevent and solve crime in our office facilities and other buildings Legal basis for processing Oterra processes your personal data on the following basis: - Legitimate interests: We base the processing of your personal data on our legitimate interests in being able to give you access to our office facilities and other buildings, as well as in protecting our physical locations and solving criminal offences (Article 6(1)(f) of the General Data Protection Regulation). Retention period Your personal data will be stored for 30 days after which it will be deleted. However, the information can be stored for a longer period in anonymized form.

This section contains the policy for Oterra’s processing of personal data collected through Oterra’s profiles or social media pages.

Oterra and the provider of LinkedIn are jointly responsible for the processing of personal data collected in connection with your visit to Oterra’s profile on LinkedIn. Oterra complies with the guidelines on shared data liability and, using available tools and means, tries to ensure that you receive information about the processing of your personal data when you visit Oterra’s profiles or pages on social media.

Oterra and the provider of LinkedIn have concluded an agreement on the distribution of data protection tasks. According to these agreements, Oterra and the provider of LinkedIn are each responsible for the tasks connected with the processing they carry out.

However, it has been agreed between Oterra and LinkedIn that LinkedIn is responsible for responding to requests from you concerning the rights described in the section ‘Your rights’ below.

Further, Oterra uses the provider of YouTube as a processor in relation to Oterra’s use of YouTube and does, in this regard, also share certain information regarding your interactions, interests etc. with YouTube. This sharing is carried out on the basis of Oterra’s and Google’s legitimate interests in optimizing marketing and the service, including our videos on YouTube (Article 6(1)(f) of the General Data Protection Regulation).

Oterra has profiles or pages on the following social media platforms: • YouTube (Google Ireland Ltd.) • Google’s private policy is available here • You can customize your privacy settings on YouTube here • LinkedIn (LinkedIn Ireland Unlimited Company) • LinkedIn’s private policy is available here • You can customize your privacy settings on LinkedIn here Collection of personal data When you visit or interact with our social media profiles, Oterra and the social media provider may collect, process, and store the following types of personal data about you: - Information available on your profile, including your name, gender, civil status, workplace, interests, image, and your city - Whether you “like” or have applied other reactions to our profile - Comments you leave on our posts - That you have visited our profile - IP address The purposes of the processing Oterra processes your personal data for the following purposes: - Improving our products and services, including our social media profiles and pages - Statistics and analysis to understand and improve our pages - To be able to communicate with you if you comment on a post, make a review, or send us a message - Marketing, i.e. to promote Oterra’s brands and products LinkedIn process your personal data for the following purposes: - Improving their ad system - To provide Oterra with statistics which the social media providers produce based on your visit to our profiles and pages - Advertising and customizing the activities on the page. Legal basis for processing The processing of your personal data is based on the following basis: - Legitimate interests: Oterra bases the processing of your personal data on our legitimate interests in being able to communicate with and market us to you on our social media profiles, as well as our legitimate interest in improving our products and services (Article 6(1)(f) of the General Data Protection Regulation). LinkedIn base the processing of your personal data on their legitimate interests, including their interest in improving their ad system, show you ads and provide statistics to Oterra, which the social media provider, for example, prepares based on your visit to Oterra’s profile or social media page. In addition, the social media providers have a legitimate interest in providing an innovative, individually adapted, secure and profitable service (Article 6(1)(f) of the General Data Protection Regulation). - Consent: The social media providers process some of your personal data in accordance with your consent, which you can withdraw at any time through your social media privacy settings (Article 6(1)(a) of the General Data Protection Regulation). Retention period Personal data provided in direct messages will be kept for 1 year after which it will be deleted. Any interactions such as comments or likes left publicly on our pages and posts will not be deleted by us but you may delete such interactions yourself. Personal data collected as a part of the advertisement system is handled by us in aggregated form which does not enable us to identify you. Please refer to the privacy policy for LinkedIn for information on how long they store your personal data. Who does LinkedIn share your personal data with? Social media providers may, among other things, share your personal data with the following categories of recipients: • Other devices in the group of which LinkedIn is a part of • External partners providing services, such as maintenance, analysis, audit, payments, fraud detection, marketing and development • Other individuals visiting our social media profile or page (to the extent that your information is publicly available) • Other recipients to whom LinkedIn is legally obliged to disclose your personal data.

You can find more information about who LinkedIn shares your personal data with, in each provider’s privacy policy. LinkedIn may transfer your personal data to recipients outside the EU/EEA in accordance with applicable data protection legislation. This includes the United States of America.

You can read more in each provider’s privacy policy. You can read more about who Oterra shares your personal data with, in the Section Disclosure to other data controllers and hand over to data processors below.

OTERRA A/S its subsidiaries and affiliates (as identified to you during your application process) (“Oterra,” “we,” or “us”) is the company that is recruiting for the job vacancy you have applied for. As part of any recruitment process, Oterra collects and processes personal data relating to job applicants in order to assess their fit for an open position. Our organization is committed to being transparent about how we collect and use that data as well as meeting the data protection obligations set forth under the General Data Protection Regulation (GDPR). This Privacy Notice explains how Oterra processes your personal information in connection with handling of job applications.

Data controller The entity responsible for the processing of your personal information is: Oterra A/S Agern Allé 24 2970 Hørsholm Denmark CVR. No: 35638784 E-mail: privacy@oterra.com Telephone: +45 3515 5600

Description of the processing

What information do we collect? Oterra collects a range of information about you. This may include but is not limited to:

• Your name, address and contact details, including email address and telephone number, photo.

• Details of your qualifications, skills, experience, personality test results and employment history including references.

• Other relevant information related to a specific job opening such as picture ID, personal identification number.

• Criminal records.

• References.

Source of the personal data:

We collect your personal data from the following source(s):

• Directly from you, for example, data might be contained in application forms, CVs or resumes, or collected through interviews or other forms of assessment through the application process.

• We may also collect personal data about you from social media and third parties, such as references supplied by former employers and/or co-workers.

Why does Oterra process your personal data? We process your personal data in order to assess your suitability for employment.

Legal basis for the processing Oterra has a legitimate interest (GDPR article 6.1.f), in processing personal data during the recruitment process and for keeping records of the process. Processing data from job applicants allows us to manage the recruitment process, assess and confirm a candidate's suitability for employment and decide to whom to offer a job. We may also need to process data from job applicants to respond to and defend against legal claims.

Any references will be processed on the basis of your consent (GDPR article 6.1.a).

Who has access to your data? Your information may be shared internally for the purposes of the recruitment exercise. This includes members of the HR and recruitment team, interviewers involved in the recruitment process, managers in the business area with a vacancy and IT staff if access to the data is necessary for the performance of their roles.

We will not share your data with third parties, unless your application for employment is successful and we make you an offer of employment. We will then share your data with third parties to obtain references and any employment background checks needed for your employment.

How does Oterra protect data? We take the security of your data seriously. We have internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties.

How long does Oterra keep your data?

Information about candidates not hired is stored for up to 12 months after rejection. If you are hired for the position, the information will be transferred to your HR file and processed in accordance with the HR Privacy Policy. If your application is unsuccessful, Oterra may keep your personal data on file in case there are future employment opportunities for which you may be suited. We will ask for your consent before we keep your data for this purpose and you are free to withdraw your consent at any time.

Your rights

You have the following rights:

• You have the right to request access to and rectification or erasure of your personal data.

• You also have the right to object to the processing of your personal data and have the processing of your personal data restricted.

• If processing of your personal information is based on your consent, you have the right to withdraw your consent at any time. Your withdrawal will not affect the lawfulness of the processing carried out before you withdrew your consent. You may withdraw your consent by contacting us at privacy@oterra.com.

• You have the right to receive your personal information in a structured, commonly used and machine-readable format (data portability).

• You may always lodge a complaint with a data protection supervisory authority, e.g. The Danish Data Protection Agency.

You can take steps to exercise your rights by contacting us at privacy@oterra.com or via the contact information set out above.

To achieve the above purposes, we may give third parties access to your personal data, which, based on a contractual relationship with Oterra, provides relevant services, this could be IT suppliers or other suppliers that process personal data for us. Such suppliers will only process personal data in accordance with our instructions according to the signed agreements.

In the context of Oterra's development, the corporate structure may change, e.g., by the total or partial sale of the company. In the case of a partial transfer of assets containing personal data, the processing basis for the related transfer of personal data is, as a rule, Article 6(1)(f) of the General Data Protection Regulation, since Oterra has an interest in transferring parts of its assets and making commercial/structural changes.

If you have ordered goods from an Oterra entity, we may also need to share your contact information, including delivery address, with our shipping partners who make sure to bring the goods to you.

We may also share your personal data with other Oterra group entities to handle requests, cooperation or ensure that we can provide our products and services in a sufficient way. Such group entities may be located outside the EU/EEA in countries which do not have an adequate level of data protection.

In addition to what is described above, in certain circumstances and in accordance with the law, it may be necessary to disclose your personal data to e.g. the police, lawyers, accountants, courts, other public authorities and potential buyers.

When your personal data is transferred to data processors or data controllers established in countries outside the EU/EEA that do not have an adequate level of protection, such transfer will only take place once a transfer basis is secured. In addition, the transfer will be based on the EU Commission's standard contracts which you may retrieve a copy of by contacting us as stated below.

• You have the right to access the personal data we process about you.

• You have the right to object to our collection and further processing of your personal data.

• You have the right to rectification and deletion of your personal data, however there are certain statutory exceptions, including the Bookkeeping Act.

• You have the right to ask us to restrict the processing of your personal data.

• In certain circumstances, you may also request to receive a copy of your personal data and to transmit the personal data you have provided to us to another data controller (data portability).

• You can withdraw any consents you may have given at any time. We will then delete your personal data unless we may continue the processing on another basis. You can cancel our newsletter by clicking on the link at the bottom of the newsletter.

If you have any questions about this privacy policy or if you wish to complain about the way we process your personal data, please feel free to contact us:

Oterra A/S Address: Agern Alle 24, 2970 Hørsholm, Denmark CVR-no.: 35638784 E-mail: privacy@oterra.com

If your complaint is not resolved by us and you want to proceed with the case, you can complain to the data protection supervisory authority in your country. A list of European data protection supervisory authorities is available here.