Privacy Policy

The data controller for personal data processed under this policy is:

AutoCap Group Sweden AB Organisation number: 559215-7357 Nybrogatan 7, 114 34 Stockholm, Sweden Email: kontakt@autocapgroup.se

We collect personal data when you submit one of our contact forms, send us an email, or visit our website.

General enquiry form: name, email address, subject and message content.

Workshop owner enquiry form: name, workshop name, city or region, approximate annual revenue, email address, phone number, and any additional information you choose to share.

Investor enquiry form: name, organisation or fund, role/title, email address, phone number, and investment focus (optional).

Technical data collected automatically: when you visit the website, our hosting providers and server logs may record IP address, browser type, operating system, referring page, and timestamps. This data is used for security, error diagnostics, and to maintain the website.

We process personal data only where we have a legal basis under Article 6 GDPR:

• Responding to general enquiries — legitimate interests (Art. 6(1)(f)) • Workshop owner enquiries — steps taken at your request prior to a possible commercial relationship (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)) • Investor enquiries — steps taken at your request prior to a possible financial relationship (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)) • Operating, securing and improving the website — legitimate interests (Art. 6(1)(f)) • Protecting contact forms against abuse — legitimate interests (Art. 6(1)(f)) • Complying with legal obligations — Art. 6(1)(c)

We retain personal data only for as long as necessary:

• Enquiries that do not lead to further dialogue: up to 12 months from last contact • Active dialogue regarding a possible acquisition or investment: duration of dialogue plus up to 24 months thereafter • Records subject to statutory retention (e.g. accounting records): seven (7) years • Server and access logs: up to 90 days, unless retained longer to investigate a security incident

We do not sell personal data. We share it only with:

Internal recipients: authorised personnel within AutoCap Group on a need-to-know basis.

Service providers (data processors): Ministry of Programming d.o.o. (development and technical maintenance), Vercel Inc. (website hosting and CDN), DigitalOcean LLC (backend hosting, database, and media storage — Frankfurt region), Resend Inc. (transactional email), Cloudflare Inc. (bot and spam protection), Mapbox Inc. (map components), Loopia AB (domain registration and DNS).

Other recipients: professional advisors, banks and financing partners, and competent authorities where required by law.

Some service providers are established outside the EU/EEA, in particular in the United States (Vercel, Resend, Cloudflare, Mapbox). Where personal data is transferred outside the EU/EEA, we rely on the European Commission's adequacy decision for the EU-US Data Privacy Framework where the recipient is certified, or Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) supplemented by additional technical and organisational measures.

Contact us for further information about safeguards applied to a specific transfer.

At launch, the website uses only strictly necessary cookies required for the website to function (cookie preferences, selected language, contact form security). These cookies do not require consent.

If we later introduce analytics or marketing cookies, we will request your consent through a cookie banner before any such cookies are set. You can withdraw consent at any time through the cookie settings link in the website footer.

For more detailed information, please see our separate Cookie Policy.

We apply appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, loss or destruction. These include encryption in transit (TLS), access controls, logging, regular security review, and contractual safeguards with our service providers.

Under the GDPR, you have the following rights:

• Right of access (Art. 15) — to obtain confirmation of whether we process your personal data and receive a copy • Right to rectification (Art. 16) — to have inaccurate or incomplete data corrected • Right to erasure (Art. 17) — to have personal data deleted in certain circumstances • Right to restriction of processing (Art. 18) • Right to data portability (Art. 20) — where processing is based on consent or contract and carried out by automated means • Right to object (Art. 21) — to processing based on legitimate interests • Right to withdraw consent (Art. 7(3)) — where processing is based on consent

We will respond without undue delay and within one month, in accordance with Article 12 GDPR.

If you believe that our processing of your personal data infringes data protection law, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY):

Integritetsskyddsmyndigheten Box 8114, 104 20 Stockholm, Sweden Email: imy@imy.se Website: www.imy.se

We may update this privacy policy from time to time to reflect changes in our processing activities, our service providers, or applicable law. The "Last updated" date at the top of this policy indicates the most recent revision. Material changes will be communicated through a notice on the website.

For any questions about this privacy policy, or to exercise your rights, please contact:

AutoCap Group Sweden AB Attn: Data Protection Nybrogatan 7, 114 34 Stockholm, Sweden Email: kontakt@autocapgroup.se