Privacy and Personal Data Protection Policy on the Balencio Platform

1. Why this policy and what does it apply to?

Balencio SA is committed to respecting privacy and attaches great importance to the protection of the data it processes, as well as to legislation relating to privacy protection.

Our personal data protection policy is based on the applicable legal provisions in this area, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the “GDPR”), and the Belgian Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data.

This policy complies with the requirements of Articles 13 and 14 of the GDPR and aims to inform users of the Balencio SA platform (https://app.balencio.com) in a concise, transparent, and understandable manner about practices concerning the protection, collection, use, and sharing of personal information provided.

It applies only to the processing of data capable of identifying or making users of the platform identifiable, directly or indirectly (hereinafter “Personal Data”).

Balencio SA undertakes at all times to comply with the requirements of the regulations applicable to the protection of personal data and to process Users’ personal data only under the conditions set out below.

Balencio SA, as a SaaS provider, acts both as a data controller and as a data processor depending on the data processing activities.

Balencio acts as a “data controller” when it collects personal data from platform users:

• Management of platform users (sociodemographic file)

• Operational management of the platform

• All processes relating to the protection and security of the platform

Balencio SA acts as a “data processor” and its Clients are data controllers for all processes carried out by the users themselves on the platform (scans, results).

---

2. Balencio SA as Data Controller

2.1 Who is the controller of the personal data processing?

Balencio SA, whose registered office is located at:

Rue Emile Francqui, 3
1435 Mont-Saint-Guibert
BELGIUM

registered with the Crossroads Bank for Enterprises under number 0662.639.464, is the controller of the personal data processing.

2.2 What personal data do we process?

The personal data and/or categories of personal data that we may process are as follows:

• Data necessary for user pre-registration and indirect individual identifiers (email address, login) o (optional) Personal characteristics (gender, age, nationality, level of education) o (optional) Career information (seniority, role, department, contract status) • Digital individual identifiers (IP address, cookies) • Connection data, statistics, and IT logs (date/time of connection, activities, etc.)

2.3 For what purposes do we process your personal data and on what legal basis?

Personal data concerning you are collected and processed for the following purposes:

• When we collect personal data from platform users o Management of the opening and use of the user account on the platform (sociodemographic file) • To operate the platform o Operational management of the platform o Monitoring and analysis of platform and website traffic • To protect the platform o All processing related to the protection and security of the platform itself

These data are processed in accordance with this statement and in compliance with the provisions of the European Data Protection Regulation.

They will only be processed by Balencio SA personnel and its subcontractors, solely for the purposes described above and in order to improve the service and provide industry benchmarks. Aggregated data allow Balencio SA to calculate industry benchmarks. Balencio aggregates data in such a way that, in accordance with applicable laws and regulations, including (without limitation) the GDPR and the Belgian Data Protection Law, the processed data become anonymized.

Under all circumstances, Balencio SA undertakes to collect and process your personal data gathered on its platform only to the extent strictly necessary for achieving one of the purposes set out in this policy. In principle, your personal data will never be used in any context other than the one announced.

When collecting your Personal Data, you will be informed whether certain Personal Data must or must not be provided in order to achieve the expected result. Failure to provide mandatory information may make it impossible to process the request.

The following table summarizes each processing activity, as well as the legal bases for processing:

Purposes	Legal basis	Source of data
Management of the opening and use of the user account on the platform (sociodemographic file)	• Performance of a contract to which the data subject is party	• Your employer • Platform user
To operate the platform	• Performance of a contract to which the data subject is party • Pursuit of our legitimate interest in offering you a high-quality browsing experience and a functional and available platform	• Platform user • IT subcontractors
To protect the platform	• Pursuit of our legitimate interest in ensuring the IT security of the site and your personal data • Compliance with our legal security obligations (Art. 32 GDPR) • Establishment, exercise, or defense of legal claims • Performance of a contract to which the data subject is party	• Platform user • IT subcontractors

No processing involves automated decision-making.

2.4 Who are the recipients of the collected data?

These personal data processing activities are carried out while respecting a strict principle of confidentiality to which these persons are contractually bound. In this respect, Balencio SA is completely independent from the employer and guarantees the confidentiality of the information collected vis-à-vis the employer and any other third party. Personal data are used to provide an individual confidential and pseudonymized report. This report is never and under no circumstances shared with the employer or any other third party.

The employer only has access to consolidated reports where the “rule of 10” is applied (a minimum of 10 observations or individuals is required for Balencio SA to present consolidated results, in order to avoid the possibility of identifying the persons whose data are included in the report).

As part of the above-mentioned data processing activities, Balencio SA may communicate your data to the following persons or organizations:

Internally within Balencio SA:

• Management staff • Personnel responsible for platform operations and support • Potentially any internal department on a need-to-know basis

To other organizations:

• Subcontractors involved in the various operational processes of the platform, platform security, and responses to attacks • Any public authority legally authorized to receive the data in the event of a cyberattack or attempted attack, any court, or any government and police service responsible for investigations, lawyers and bailiffs mandated by Balencio SA, and any judicial personnel involved in prosecuting offenses and obtaining compensation

Balencio SA works closely with third-party companies that provide IT services necessary for the proper functioning of the website (hosting, storage, maintenance, registration invitations, etc.).

The Client expressly acknowledges and accepts that Balencio SA may subcontract the performance of all or part of the Client Data processing activities. Balencio SA undertakes to inform the Client of any planned changes concerning the addition or replacement of a subcontractor and to give the Client the opportunity to object to such changes.

The user accepts that this information is provided in accordance with this policy under the clause entitled “List of Subcontractors,” which it is their responsibility to consult regularly. When a subcontractor recruits another subcontractor, the subcontractor undertakes to ensure that the same obligations regarding personal data protection imposed in this policy are also imposed on that sub-subcontractor, so that the latter complies with the requirements of the aforementioned regulation.

Balencio SA ensures that these subcontractors act only on the basis of documented instructions and implement appropriate technical and organizational measures so that the processing of Personal Data they carry out complies with the GDPR and guarantees the protection of the rights of the data subjects. Balencio SA remains responsible to the Client for the performance of its obligations by its own subcontractors.

No personal data are transferred to third parties not included among the above-mentioned recipients or outside the indicated legal framework, without prejudice to their possible transfer to bodies responsible for a supervisory or inspection mission under Belgian law, such as an investigating judge.

In any event, Balencio SA will not disclose personal data to third parties for direct marketing purposes.

2.4.1 List of Subcontractors

Subcontractor	Processing	Data Location
Amazon Web Services (AWS)	Hosting of applications, databases, data and files enabling Balencio to operate, including access control (via Cognito)	Frankfurt (DE)
Cloudar	Monitoring and administration of our infrastructure hosted by AWS	Belgium
InfoManiak	Hosting and operation of our Digital Vault (secret management and encryption system)
Synthesis and analysis of responses to open-ended questions through artificial intelligence – Translation of platform keys, text summarization and translation	Switzerland
Mailjet	Mass sending of individual email invitations to participate in scans	Frankfurt (DE), Saint-Ghislain (BE)
MongoDB	Hosting and operation of the databases enabling Balencio to operate	Frankfurt (DE)

2.5 How long are your data retained?

In addition to its legal retention obligations, Balencio SA uses purpose as one of the criteria for defining the period during which data must be retained. Depending on the processing concerned, your data are retained only for the duration necessary for the processing and deleted thereafter, unless an investigation is ongoing. The data will then be retained for the time necessary to conclude the investigation.

Personal data collected during the use of the platform, in any capacity whatsoever, are retained as long as the User uses the Platform.

Regarding technical connection data, statistics, and IT logs relating to the platform, the personal data will be strictly retained for the duration necessary for the purposes previously described and in accordance with applicable legal and regulatory requirements.

2.6 Are your Personal Data transferred outside the European Union?

We do not transfer your Personal Data outside the European Union. Indeed, we use service providers that guarantee us European hosting.

2.7 What means are implemented to protect your data?

Balencio SA has implemented a number of appropriate technical and organizational security procedures, which it regularly reassesses and updates, in order to prevent destruction, loss, falsification, modification, unauthorized access, accidental disclosure to third parties, and to ensure the security and proper use of the information collected for the purpose of carrying out the processing concerned. Balencio SA implements a variety of security measures to preserve the security of your personal information, including (non-exhaustive list):

• User authentication;

• Workstation security;

• Protection of the internal IT network;

• Server security;

• Website security;

• Premises protection;

• Supervision of IT developments;

• User awareness;

• Authorization management;

• Access tracking and incident management;

• Backups and business continuity;

• Securing exchanges with other organizations;

• Encryption;

• Separation of the platform data processing functions from those supporting access control o Amazon Cognito enables user registration, enrollment, and access control. o The access control system (Cognito) is decoupled from the databases supporting the Balencio platform.

• Secure multi-certified hosting – ISO27001, ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018 and ISO 9001

• Encryption of data in transit and on the server block

• 24/7/365 monitoring through an outsourcing service provider

• Vulnerability management and regular updates

• Regular and independent external review of information security (penetration testing)

• Balencio pseudonymizes all individual user sessions. The principle of systematic pseudonymization, whenever and wherever possible, constitutes a central axiom in the way Balencio handles data protection matters.

• “Rule of 10” for the disclosure of consolidated results. Individual results are protected and not disclosed.

In the event of recourse to a service provider, Balencio SA ensures beforehand that the latter complies with its security obligations prior to the communication of your Personal Data.

Balencio SA has also appointed a Data Protection Officer to monitor and validate compliance with the regulations applicable to personal data protection. You may contact this Officer via the email address dataprotection@balencio.com.

2.8 What are your rights?

• Right to information

You have the right to be informed in a concise, transparent, intelligible, and easily accessible manner about how your Personal Data are processed.

• Right of access

The right of access is the right you have to obtain, upon request:

o confirmation that Personal Data concerning you are being processed

o where applicable, access to such Personal Data and a copy thereof

• Right to rectification

This is the right you have to request the rectification, without undue delay, of personal data that may be inaccurate. If you find that personal data are incomplete, you also have the right to request that they be completed. In the event of exercising this right, we undertake to communicate any rectification to all recipients of your Personal Data.

• Right to erasure

In certain cases, you have the right to request the erasure of your personal data. However, this is not an absolute right and we may, for legal or legitimate reasons, retain your Personal Data for a period compliant with the Regulations.

• Right to restriction of processing

In certain cases, you have the right to obtain from the controller the restriction of the processing of your personal data, in accordance with applicable data protection legislation.

• Right to data portability

Where applicable, you also have the right to receive your personal data in a structured, commonly used, and machine-readable format, under the conditions provided for by applicable data protection legislation. This right exists only if the legal basis for processing is consent or the performance of a contract and such processing is carried out by automated means.

• Right to object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data if the processing is based on a task carried out in the public interest, the exercise of official authority, or legitimate interest. In this case, Balencio SA must cease processing the personal data unless we demonstrate compelling legitimate grounds for the processing that override your interests and rights and freedoms, or for the establishment, exercise, or defense of legal claims.

• Right to withdraw your consent at any time

You may withdraw your consent to the processing of your Personal Data where such processing is based on your consent. Withdrawal of consent does not affect the lawfulness of processing carried out prior to such withdrawal.

All rights concerning data processing on the Balencio platform (scan results, reports, etc.) may be exercised via the employer and will be subject to the latter’s agreement.

All rights concerning data processing for which Balencio is considered the controller may be exercised at any time by email at the following addresses: support@balencio.com or dataprotection@balencio.com. Users exercising the right to erasure and the right to object must understand that this may result in an interruption of the service, as data processing is necessary to manage their account and the platform, and to communicate with them, in accordance with the contract binding the employer and Balencio SA.

2.9 How can you exercise your rights? To whom should you address your questions/complaints?

You may send your requests to exercise your rights:

• by email to support@balencio.com or dataprotection@balencio.com.

or

• by regular mail to the following address:

Balencio SA
Rue Emile Francqui, 3
1435 Mont-Saint-Guibert
Belgium

To ensure respect for your privacy and guarantee your security, we will take the necessary steps to verify your identity before allowing you to consult and possibly correct data.

If you believe that we are failing to comply with one of our legal and/or contractual obligations, we invite you to contact us at the same addresses, or directly our DPO at dataprotection@balencio.com.

We will make every effort to provide you with follow-up as quickly as possible.

If our response does not satisfy you, you have the right to lodge a complaint with the Data Protection Authority (DPA).

Data Protection Authority
Rue de la Presse 35
1000 Brussels

Tel.: +32 (0)2 274 48 00
Fax: +32 (0)2 274 48 35
Email: contact@apd-gba.be
URL: https://www.autoriteprotectiondonnees.be

---

3. Balencio SA as Data Processor

Electronic human capital management services, such as the organization of scans, individual and aggregated reporting, and the storage of associated data are provided by Balencio SA in its capacity as a data processor, the Client of Balencio SA acting as data controller in the context of organizing such scans in order to improve the management of its human capital.

As part of these activities, Balencio SA may be required to access individuals’ personal data (hereinafter the “Client Data”) and therefore process these personal data for the aforementioned purposes.

As data controller, the Client undertakes to comply strictly with the regulations applicable to the protection of personal data when processing the Client Data and indemnifies Balencio SA against any third-party claims relating to the protection of their personal data.

As data processor, Balencio SA undertakes to comply with the following obligations and to ensure compliance by its staff:

• Process the Client Data strictly within the framework necessary for the services provided under the contract binding it to the Client, and act only on the basis of the Client’s documented instructions;

• Ensure the confidentiality of the Client Data and ensure that each person authorized to process said Client Data undertakes to respect confidentiality or is subject to an appropriate confidentiality obligation;

• Ensure the security and integrity of the Client Data under the same conditions as those previously provided for in this policy;

• Not retain the Client Data beyond the duration of the contract binding it to the Client or any other duration specified by the Client;

• Not grant, rent, assign, or otherwise communicate all or part of the Client Data to another person;

• Taking into account the nature of the processing, provide assistance to the Client, insofar as possible, to enable it to respond, within the deadlines and under the conditions provided for by applicable personal data protection regulations, to any request for the exercise of a right, request, or complaint from a person concerned by the processing of the Client Data or from a data protection authority or any other regulator;

• Provide assistance to the Client in carrying out privacy impact assessments and/or formalities to be completed by the Client in relation to the Client Data. The Client acknowledges and accepts that the assistance services to be carried out in this context may be the subject of a separate service proposal from Balencio SA;

• Make available to the Client, subject to compliance with a confidentiality undertaking, all information necessary to demonstrate compliance with the obligations set out in this article and to allow audits, including inspections, to be carried out by the Client or any auditor mandated by it, and contribute to such audits. Audits carried out in this context must comply with the conditions and terms provided for in the contract binding Balencio SA to the Client. The latter acknowledges and accepts that the assistance services to be carried out in this context may be the subject of a separate service proposal from Balencio SA;

• Notify the Client as soon as possible in the event of a breach of the Client Data of which it becomes aware, the notification being accompanied by all useful documentation enabling the Client, if necessary, to notify such breach to the competent supervisory authority, and assist the Client in implementing any action enabling it to deal with such data breach.

---

4. Update and Effective Date

This policy entered into force on 15 April 2026.

It may be amended at any time, particularly to take into account possible legislative or regulatory changes, or changes relating to the processing activities carried out.

Balencio SA therefore reserves the right, at its sole discretion, to change, modify, add, or remove portions of this policy at any time.

We therefore encourage you to consult it regularly via https://balencio.com/en/privacy-policy/ .