Privacy Policy

Chain Atlas is a professional B2B digital ecosystem operated by TAMTRADETAM S.R.L. ("we", "us", "our"), designed to connect brand owners, distributors, and business buyers in the context of international distribution partnerships. This Privacy Policy explains how we collect, use, store, share, and protect personal data when you access or use the Chain Atlas platform available at chain-atlas.com (the "Platform").

We are committed to protecting the privacy and personal data of all individuals who interact with our Platform in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the "General Data Protection Regulation" or "GDPR") and applicable Romanian data protection legislation.

By accessing the Platform or creating an account, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the terms set out herein, you must discontinue use of the Platform.

The data controller responsible for the processing of your personal data is:

TAMTRADETAM S.R.L. Str. Furnaliștilor, Nr. 4, Bl. D1, Sc. 1, Ap. 2 800629 Galați, Romania CUI: 53297663 Trade Register: J2026002747004 Email: [email protected] Website: chain-atlas.com

For all data protection enquiries, please reference "Privacy / GDPR Request" in the subject line of your communication.

We collect personal data in the following categories, depending on how you interact with the Platform:

Account Registration Data: When you create an account, we collect your full name, professional email address, password (stored in hashed form), country of residence or business, and your selected role on the Platform (brand owner, distributor, or business buyer).

Company Profile Data: When you create or manage a company profile or pavilion, we collect your company name, registered address, VAT/CUI number, trade register number, website URL, telephone number, industry sector, and any descriptive content, logos, or media you voluntarily upload.

Transaction and Billing Data: When you subscribe to a paid membership plan, we collect billing name, billing address, and payment method details. Payment card data is processed exclusively by our third-party payment processor, Stripe, Inc., and is never stored on our servers. We retain records of transaction amounts, dates, subscription plan identifiers, and Stripe customer and subscription identifiers.

Usage and Interaction Data: We automatically collect data about how you interact with the Platform, including pages visited, features used, search queries submitted, time and duration of sessions, and actions taken such as submitting partnership applications or access requests.

Technical Data: We collect IP addresses, browser type and version, operating system, device identifiers, referring URLs, and language preferences.

Communications Data: If you contact us via email or through the Platform's support channels, we retain the content of your communications and your contact details for the purpose of responding to your enquiry and maintaining a record of support interactions.

The Platform processes personal data relating to the following categories of data subjects:

Brand Owners — Representatives of companies seeking distribution partnerships who create accounts and publish company pavilions on the Platform.

Distributors — Companies or individuals offering distribution services who register to present their logistics capabilities and geographic coverage.

Business Buyers — Retail or wholesale buyers seeking products or brands who access the Platform to discover and evaluate potential partners.

Platform Administrators — Internal staff of TAMTRADETAM S.R.L. who manage and operate the Platform.

Visitors — Unauthenticated users browsing publicly available content on the Platform without having created an account.

We process personal data for the following purposes:

Service Delivery: To create and manage user accounts, publish company profiles and pavilions, facilitate discovery between brands and distributors, process membership subscriptions, and provide all core functionalities of the Platform.

Contract Performance: To execute subscription agreements, process payments, issue invoices, and manage account lifecycle events including upgrades, downgrades, and cancellations.

Platform Security and Integrity: To detect, prevent, and investigate fraudulent activity, unauthorised access, abuse of the Platform, and violations of our Terms and Conditions.

Analytics and Platform Improvement: To understand how users interact with the Platform, identify usability issues, measure the effectiveness of features, and inform product development decisions. Analytics data is processed in aggregated or pseudonymised form wherever possible.

Communications and Support: To respond to support requests, send transactional notifications such as subscription confirmations, payment receipts, and account alerts, and to provide customer service.

Legal Compliance: To comply with applicable legal obligations, including tax and accounting requirements, regulatory reporting, and responding to lawful requests from competent authorities.

Owner and Operational Notifications: To notify the Platform operator of significant events such as new subscriptions, partnership applications, and system alerts.

We rely on the following legal bases under Article 6 GDPR for each category of processing:

Performance of a Contract (Art. 6(1)(b)): Account creation and management, subscription billing and payment processing, and company profile publication are necessary for the performance of the contract between you and TAMTRADETAM S.R.L.

Legitimate Interests (Art. 6(1)(f)): Platform security, fraud prevention, and analytics and usage tracking are carried out on the basis of our legitimate interest in operating a secure and effective platform. We have assessed that these interests are not overridden by your rights and interests.

Legal Obligation (Art. 6(1)(c)): Processing for legal and regulatory compliance, including tax, accounting, and responding to lawful authority requests, is carried out to fulfil our legal obligations.

Consent (Art. 6(1)(a)): Where analytics cookies or marketing communications are used, we rely on your freely given, specific, informed, and unambiguous consent. Where processing is based on consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

We do not sell, rent, or trade your personal data to third parties. We may share personal data with the following categories of processors and recipients, each bound by appropriate data processing agreements or standard contractual clauses:

Payment Processors: Stripe, Inc. processes payment card data and manages subscription billing on our behalf. See Section 8 for further details.

Cloud Infrastructure Providers: The Platform is hosted on cloud infrastructure that may process personal data on our behalf. All infrastructure providers are contractually bound to process data only on our documented instructions and to implement appropriate security measures.

Analytics Providers: We use analytics services to collect aggregated usage data. Where such services process personal data, they do so under data processing agreements and are prohibited from using your data for their own purposes.

Legal and Regulatory Authorities: We may disclose personal data to courts, regulators, law enforcement agencies, or other public authorities where required by applicable law or in response to a valid legal process.

Business Transfers: In the event of a merger, acquisition, restructuring, or sale of assets, personal data may be transferred to the acquiring entity, subject to equivalent data protection obligations.

We require all third-party processors to implement appropriate technical and organisational measures to protect personal data and to process it solely for the purposes specified in their agreements with us.

Subscription payments on the Platform are processed by Stripe, Inc., a PCI DSS-compliant payment service provider. When you submit payment information, your card details are transmitted directly and securely to Stripe's servers using TLS encryption. TAMTRADETAM S.R.L. does not receive, store, or process raw payment card numbers at any point.

Stripe may collect and process personal data including your name, email address, billing address, payment method details, and transaction history in accordance with its own Privacy Policy, available at stripe.com/privacy. Stripe acts as an independent data controller for certain processing activities and as a data processor on our behalf for others.

For subscriptions, Stripe retains billing records and payment history as required by applicable financial regulations. You may manage your payment methods and billing information through the customer billing portal accessible from your account dashboard. For disputes relating to payment processing, please contact Stripe directly or reach us at [email protected].

The Platform uses cookies and similar tracking technologies to ensure functionality, improve user experience, and collect analytics data. A cookie is a small text file stored on your device by your browser when you visit a website.

Essential Cookies: Required for the Platform to function correctly, including session management, authentication state, and security tokens. These cookies cannot be disabled without impairing Platform functionality. No consent is required for essential cookies under applicable law.

Analytics Cookies: Used to collect aggregated information about how users navigate and interact with the Platform. This data helps us understand usage patterns and improve the Platform. Analytics data is processed by our analytics provider and is subject to the consent mechanism presented upon your first visit to the Platform.

Preference Cookies: Used to remember your settings and preferences, such as language selection and display options.

You may manage your cookie preferences through the cookie consent banner displayed upon your first visit to the Platform, or through your browser settings. Please note that disabling certain cookies may affect the functionality of the Platform. For more information about managing cookies, visit allaboutcookies.org.

We retain personal data for as long as necessary to fulfil the purposes for which it was collected, subject to the following principles:

Active Accounts: Personal data associated with active accounts is retained for the duration of the account's existence on the Platform.

Closed Accounts: Following account deletion or termination, we retain personal data for a period of up to 3 years to comply with legal obligations (including tax and accounting requirements), resolve disputes, enforce our agreements, and maintain records of completed transactions.

Payment Records: Transaction records and billing data are retained for 7 years in accordance with Romanian and EU accounting and tax legislation.

Support Communications: Records of support interactions are retained for 2 years from the date of the last communication.

Analytics Data: Aggregated and pseudonymised analytics data may be retained indefinitely as it does not constitute personal data in identifiable form.

Upon expiry of the applicable retention period, personal data is securely deleted or anonymised in accordance with our data destruction procedures.

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, alteration, or disclosure. These measures include:

Technical Measures: Transport Layer Security (TLS) encryption for all data transmitted between your browser and our servers; hashed storage of user passwords using industry-standard algorithms; role-based access controls limiting data access to authorised personnel only; and regular security assessments and monitoring of our infrastructure.

Organisational Measures: Contractual data protection obligations imposed on all third-party processors; internal access policies restricting data handling to authorised staff; and incident response procedures to detect, report, and remediate personal data breaches in accordance with Article 33 GDPR.

Notwithstanding these measures, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security and accept no liability for breaches that result from circumstances beyond our reasonable control. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay in accordance with applicable law.

The Platform is operated from Romania, within the European Economic Area (EEA). Some of our third-party processors, including Stripe, Inc. and certain cloud infrastructure providers, may transfer and process personal data outside the EEA, including in the United States.

Where such transfers occur, we ensure that appropriate safeguards are in place in accordance with Chapter V GDPR, including the use of Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on adequacy decisions where applicable. These safeguards ensure that your personal data receives a level of protection equivalent to that guaranteed within the EEA.

You may request further information about the specific safeguards applicable to international transfers of your personal data by contacting us at [email protected] with the subject line "International Transfer Enquiry".

As a data subject under the GDPR, you have the following rights with respect to your personal data:

Right of Access (Art. 15): You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data along with information about how it is processed.

Right to Rectification (Art. 16): You have the right to request the correction of inaccurate or incomplete personal data we hold about you.

Right to Erasure (Art. 17): You have the right to request the deletion of your personal data where there is no longer a legal basis for its retention, subject to applicable legal obligations.

Right to Restriction of Processing (Art. 18): You have the right to request that we limit the processing of your personal data in certain circumstances, such as where you contest the accuracy of the data.

Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller where technically feasible.

Right to Object (Art. 21): You have the right to object to processing of your personal data carried out on the basis of legitimate interests or for direct marketing purposes.

Right to Withdraw Consent (Art. 7(3)): Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

Right to Lodge a Complaint: You have the right to submit a complaint to the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) at anspdcp.ro, or to the supervisory authority of your country of residence within the EEA.

These rights are subject to limitations and conditions set out in applicable data protection law. We will respond to all verified requests within 30 days of receipt, extendable by a further two months in complex cases with prior notification.

To exercise any of the rights described in Section 13, please submit a written request to:

Email: [email protected] (subject line: "GDPR Request — [Right Type]")

Postal Address: TAMTRADETAM S.R.L. Str. Furnaliștilor, Nr. 4, Bl. D1, Sc. 1, Ap. 2 800629 Galați, Romania

We may request proof of identity before processing your request in order to protect against unauthorised access to personal data. Requests will be processed free of charge unless they are manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable administrative fee or decline to act, providing written reasons for our decision.

You also have the right to lodge a complaint with the ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal) at anspdcp.ro, or with the supervisory authority of your country of residence within the EEA.

The Platform is intended exclusively for business professionals and corporate entities. We do not knowingly collect or process personal data relating to individuals under the age of 18. The Platform is not directed at children, and we do not offer services to minors.

If you believe that a minor has provided personal data through the Platform without appropriate parental or guardian consent, please contact us immediately at [email protected] with the subject line "Minor Data Concern". Upon verification, we will take prompt steps to delete such data from our systems.

We reserve the right to update or modify this Privacy Policy at any time to reflect changes in our data processing practices, legal requirements, or Platform functionality. The "Last Updated" date at the top of this document indicates when the most recent revision was made.

When material changes are made, we will notify registered users by email or through a prominent notice on the Platform at least 14 days before the changes take effect. For non-material changes, such as corrections or clarifications, the updated policy will take effect immediately upon publication.

Continued use of the Platform following the effective date of any changes constitutes acceptance of the revised Privacy Policy. If you do not agree to the revised Privacy Policy, you must discontinue your use of the Platform and, if applicable, request deletion of your account.

For all privacy-related enquiries, data subject requests, or concerns regarding this Privacy Policy, please contact:

TAMTRADETAM S.R.L. Str. Furnaliștilor, Nr. 4, Bl. D1, Sc. 1, Ap. 2 800629 Galați, Romania

Email: [email protected] Platform: chain-atlas.com

We aim to acknowledge all privacy-related communications within 24 hours on business days and to resolve requests within the statutory timeframes prescribed by the GDPR. For data protection enquiries, please reference "Privacy / GDPR Request" in your communication.