This Data Protection Agreement ("Agreement") is entered into between Nuitée Travel Limited ("Nuitée", "we", "us", or "our") and the party accessing or using our services ("you", "your", or "User"). This Agreement governs the collection, processing, storage, and protection of personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and other relevant privacy legislation. By using our services, you acknowledge that you have read, understood, and agree to be bound by this Agreement. If you do not agree with any part of this Agreement, you must not use our services. This Agreement supplements and does not replace our Privacy Policy, Terms and Conditions, and Cookies Policy. In case of any conflict between this Agreement and other policies, the provisions of this Agreement shall prevail with respect to data protection matters.

Nuitée Travel Limited acts as an independent data controller in relation to the personal data we process in connection with our services. We are responsible for determining the purposes and means of processing personal data in accordance with applicable data protection laws. As a data controller, we: • Determine the legal basis for processing personal data • Implement appropriate technical and organizational measures to protect personal data • Ensure compliance with data protection principles • Respect data subjects' rights and freedoms • Maintain records of processing activities • Conduct data protection impact assessments where required We process personal data for legitimate business purposes, including but not limited to: • Providing and improving our travel technology services • Processing bookings and reservations • Customer support and communication • Marketing and promotional activities (with consent) • Legal compliance and regulatory requirements • Fraud prevention and security We do not sell, rent, or otherwise monetize personal data. We may share personal data with trusted third parties only when necessary for service provision, legal compliance, or with explicit consent, and always in accordance with applicable data protection laws.

For the purposes of this Data Policy, the following terms shall have the meanings set forth below: **Personal Data** means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. **Processing** means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. **Controller** means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. **Processor** means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. **Consent** means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. **Data Subject** means the identified or identifiable natural person to whom personal data relates. **Supervisory Authority** means an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR. **Data Breach** means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

This Data Policy shall be interpreted in accordance with the following principles: **1. Legal Compliance:** All provisions shall be interpreted in a manner that ensures compliance with applicable data protection laws, including but not limited to the GDPR, the Data Protection Act 2018, and any other relevant privacy legislation. **2. Data Subject Rights:** The interpretation of this Policy shall prioritize the protection of data subjects' fundamental rights and freedoms, including the right to privacy and data protection. **3. Proportionality:** Any processing of personal data shall be interpreted as necessary and proportionate to the legitimate purposes for which it is collected and processed. **4. Transparency:** All provisions shall be interpreted to ensure maximum transparency regarding our data processing activities and the rights of data subjects. **5. Accountability:** We shall interpret and implement this Policy in a manner that demonstrates our accountability for all data processing activities. **6. Lawfulness:** All data processing shall be interpreted as lawful, fair, and transparent, with appropriate legal basis for each processing activity. **7. Purpose Limitation:** Personal data shall be interpreted as collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. **8. Data Minimization:** We shall interpret this Policy to ensure that personal data is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. **9. Accuracy:** Personal data shall be interpreted as accurate and, where necessary, kept up to date. **10. Storage Limitation:** Personal data shall be interpreted as kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.

As a data controller, Nuitée Travel Limited undertakes the following obligations: **1. Lawful Processing:** We shall process personal data lawfully, fairly, and in a transparent manner in relation to the data subject. **2. Purpose Limitation:** We shall collect personal data for specified, explicit, and legitimate purposes and not further process it in a manner incompatible with those purposes. **3. Data Minimization:** We shall ensure that personal data is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. **4. Accuracy:** We shall take reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date. **5. Storage Limitation:** We shall keep personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. **6. Security of Processing:** We shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage. **7. Data Subject Rights:** We shall respect and facilitate the exercise of data subjects' rights, including the right of access, rectification, erasure, restriction of processing, data portability, and objection. **8. Data Protection Impact Assessments:** We shall carry out data protection impact assessments for processing operations that are likely to result in a high risk to the rights and freedoms of natural persons. **9. Breach Notification:** We shall notify the relevant supervisory authority of any personal data breach within 72 hours of becoming aware of it, and inform data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms. **10. Records of Processing:** We shall maintain records of all processing activities under our responsibility.

Users of our services have the following obligations regarding data protection: **1. Lawful Use:** Users shall use our services in accordance with applicable laws and regulations, including data protection laws. **2. Accurate Information:** Users shall provide accurate, complete, and up-to-date information when using our services. **3. Consent Management:** Users shall provide genuine consent for any processing activities that require consent and shall have the right to withdraw consent at any time. **4. Security Measures:** Users shall implement appropriate security measures to protect any personal data they may process in connection with our services. **5. Compliance:** Users shall comply with all applicable data protection laws and regulations in their jurisdiction. **6. Cooperation:** Users shall cooperate with Nuitée in ensuring compliance with data protection requirements and shall respond promptly to any requests for information or assistance. **7. Notification:** Users shall notify Nuitée immediately of any suspected or actual data breaches involving personal data processed in connection with our services. **8. Third-Party Data:** Users shall ensure that any personal data of third parties they provide to us is collected and processed lawfully and with appropriate consent. **9. Data Subject Rights:** Users shall respect the rights of data subjects and shall not interfere with the exercise of such rights. **10. Documentation:** Users shall maintain appropriate documentation of their data processing activities as required by applicable law.

In certain circumstances, Nuitée and our users may act as joint controllers or have shared responsibilities for data protection: **1. Joint Controllership:** Where Nuitée and a user jointly determine the purposes and means of processing personal data, both parties shall be considered joint controllers and shall: • Clearly define their respective responsibilities for compliance with data protection obligations • Make the essence of the joint controllership arrangement transparent to data subjects • Ensure that data subjects can exercise their rights against either controller • Allocate responsibilities for data protection compliance between the parties **2. Shared Security:** Both parties shall implement appropriate technical and organizational measures to ensure the security of personal data, including: • Encryption of personal data in transit and at rest • Access controls and authentication mechanisms • Regular security assessments and updates • Incident response procedures • Staff training on data protection **3. Breach Response:** In case of a personal data breach, both parties shall: • Cooperate in investigating and containing the breach • Share relevant information about the breach • Coordinate notification to supervisory authorities and data subjects • Implement remedial measures to prevent future breaches **4. Data Subject Rights:** Both parties shall: • Establish clear procedures for handling data subject requests • Ensure that data subjects can exercise their rights effectively • Coordinate responses to data subject requests • Maintain records of data subject interactions **5. Compliance Monitoring:** Both parties shall: • Regularly review and update data protection measures • Conduct compliance assessments • Provide training to relevant personnel • Maintain documentation of compliance activities