PRIVACY STATEMENT CPH:DOX (referred to as “CPH:DOX”, “we”, “us” and “our”) respects and protects your right to privacy in relation to your interactions with this website (the “Site”). We have adopted the following policies to safeguard your personal information and to protect its confidentiality. Any information which is provided by you to CPH:DOX via this Site or otherwise will be treated in accordance with the terms of the Data Protection Act 2018 (“Databeskyttelsesloven” af 2018) and/or such amending or replacement legislation as may be adopted in Denmark from time to time. We encourage you to read this Privacy Statement before using this Site. If you do not read or if you disagree with any aspect of the Privacy Statement, you should not use this Site. By visiting this Site, you are accepting and consenting to the practices described in this Privacy Statement. Please review our Terms of Use at https://cphdox.shift72.com/page/terms-and-conditions/ which also govern your visit to the Site. What personal information does CPH:DOX collect? When registering online with CPH:DOX you will be asked to provide certain personal information, such as your name, email address,, password, and other information required to provide you with the Services as requested. When you submit an order for the Services on the Site you will be asked to provide certain other personal information including billing information and credit or debit card details. Personal information which we collect from you will only be used for the purposes for which it was provided by you and will not be released to any third parties except to the extent as set out below CPH:DOX retains the right at all times to contact you in relation to the Services provided on this Site. How is my personal information used by CPH:DOX? We will use your personal information to identify you as a customer, to set up and administer your account, to verify credit or other charge card details, to take, process and deliver your orders for Services provided on this Site, to process or obtain payment of your orders, to provide you with effective customer service and/or technical support, to provide you with information about other products, services, offers, competitions and promotions (assuming you have consented to receiving such information as described in the “Opt-In” section of this Privacy Statement), and for any other purposes as notified to you from time to time. We do not collect or keep your personal information unless it is necessary for the above purposes(s) or required by law. CPH:DOX will not keep your information for any longer than is necessary for these purposes or as required by law. What about cookies? Cookies are alphanumeric identifiers that we transfer to your computer’s hard drive through your web browser to enable our systems to recognize your browser and to provide certain personalised features during your use of the Site, such as personalised advertisements. The Help portion of the toolbar on most browsers will tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether. However, you should realise that certain cookies may be necessary in order to provide you with certain features such as the customised delivery of certain information. Does CPH:DOX share the information it receives? CPH:DOX will not rent, sell or share your personal information with any third party except as described below or as otherwise agreed by you. Agents: We employ other companies and individuals to perform functions on our behalf. Examples include fulfilling orders, sending postal mail and e-mail, removing repetitive information from customer lists, providing marketing assistance, providing search results and links (including paid listings and links), processing credit card payments, and providing customer service. They have access to personal information needed to perform their functions, but may not use it for other purposes. We use New Zealand based Shift 72 to manage and maintain platform’s technological infrastructure. Under Articles 44-50 of the GDPR, personal data cannot be transferred to third countries unless the country ensures an adequate level of protection. New Zealand is on the ‘approved list’. If a country is on this approved list, then Danish data controllers may transfer personal data to such countries, in the same way as if the transfer were being made within Denmark, or within the EEA. For more information on Shift72’s privacy policy please see: https://www.shift72.com/privacy-policy/. We also use Australia based, Amazon Web Services (AWS) who provide us with cloud storage solution. AWS has demonstrated compliance with a range of internationally recognised standards for content, data and infrastructure security, such as information security management system- ISO-27001, System and Organization Controls Report- SOC1/2, and The Payment Card Industry Data Security Standard; in addition, AWS has demonstrated alignment with the MPAA Content Security Best Practices and the AWS infrastructure is compliant with all applicable MPAA controls. For more information on AMS’ privacy policy please see: https://aws.amazon.com/privacy/?nc1=f_pr Business Transfers: As we continue to develop our business, we might sell or buy stores, subsidiaries, or business units. In such transactions, customer information generally is one of the transferred business assets but subject to the promises made in any pre-existing Privacy Statement (unless, of course, the customer consents otherwise). Also, in the unlikely event that CPH:DOX, or substantially all of its assets are acquired, customer information will of course be one of the transferred assets. Protection of CPH:DOX and Others: We release account and other personal information when we believe release is appropriate to comply with the law; enforce or apply our Terms of Use and other agreements; or protect the rights, property, or safety of CPH:DOX, our users, or others. This includes exchanging information with other companies and organisations for fraud protection and credit risk reduction. Obviously, however, this does not include selling, renting, sharing, or otherwise disclosing personally identifiable information from customers for commercial purposes in violation of the commitments set forth in this Privacy Statement. With Your Consent Other than as set out above, you will receive notice when information about you might go to third parties, and you will have an opportunity to choose not to share the information. Can I access my personal information? In compliance with the GDPR, every data subject has a number of rights in relation to the information we hold about you: • Your right of access- If you ask us, we’ll confirm whether we’re processing your personal information and, subject to any applicable exemptions, provide you with a copy of that personal information (along with certain other details) within the timescales or extended timescales provided for by the law for complex requests, or where applicable, provide you with an explanation as to why we will not be complying with your request. If you require additional copies, we may need to charge a reasonable fee. • Your right to rectification- If the personal information we hold about you is inaccurate or incomplete, you’re entitled to have it rectified. If you are entitled to rectification and if we’ve shared your personal information with others, we’ll let them know about the rectification where possible and where this would not involve disproportionate effort. If you ask us, where possible and lawful to do so, we’ll also tell you who we’ve shared your personal information with so that you can contact them directly. • Your right to erasure- You can ask us to delete or remove your personal information in some circumstances such as where we no longer need it or if you withdraw your consent (where applicable because that was the legal basis on which we were processing your personal information). If you are entitled to erasure and if we’ve shared your personal information with others, we’ll take reasonable steps to inform those others where possible and where this would not involve disproportionate effort. If you ask us, where it is possible and lawful for us to do so, we’ll also tell you who we’ve shared your personal information with so that you can contact them directly. • Your right to restrict processing- You can ask us to ‘block’ or suppress the processing of your personal information in certain circumstances such as where you contest the accuracy of that personal information or you object to us. If you are entitled to restriction and if we’ve shared your personal information with others, we’ll let them know about the restriction where it is possible for us to do so. If you ask us, where it is possible and lawful for us to do so, we’ll also tell you who we’ve shared your personal information with so that you can contact them directly. • Your right to data portability- You have the right, in certain circumstances, to obtain personal information you’ve provided us with (in a structured, commonly used and machine readable format) and to reuse it elsewhere or to ask us to transfer this to a third party of your choice. • Your right to object- You can ask us to stop processing your personal information, and we will do so, if we are: • relying on our own or someone else’s legitimate interests to process your personal information except if we can demonstrate compelling legal grounds for the processing; or • processing your personal information for direct marketing. • Your rights in relation to automated decision-making and profiling- You have the right not to be subject to a decision when it’s based on automatic processing, including profiling, if it produces a legal effect or similarly significantly affects you, unless such profiling is necessary for entering into, or the performance of, a contract between you and us. • Your right to withdraw consent- If we rely on your consent (or explicit consent) as our legal basis for processing your personal information, you have the right to withdraw that consent at any time. • Your right to lodge a complaint with the supervisory authority- If you wish to contact us on any matter in relation to the processing of your personal information, please submit requests to info@cphdox.dk. How is my personal information secured? We work to protect the security of your information during transmission by using Secure Sockets Layer (SSL) software, which encrypts information you input. We will reveal only the last five digits of your credit card numbers when confirming an order. Of course, we transmit the entire credit card number to the appropriate credit card company during order processing. CPH:DOX complies with appropriate measures to industry standards to protect Users personal data. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure and therefore we cannot guarantee its absolute security. Our technology partner Shift72 also follows a number of strict measures to protect the security of your information. Here are some of their key security policies: • User’s passwords are salted and hashed, following best practice from OWASP • Users have access to their own data. Their data is not visible publicly or to other users. • Admins have access to user data, including name, email, birthdate, gender, purchase history and viewing activity. • Shift72 uses a third party secure payment partner, Stripe, who are committed to protecting your privacy whenever you buy goods or services from a merchant who uses Stripe. We follow Stripe’s best practice which means no credit card information is passed through or stored in SHIFT72’s platform. Link to Third Party Sites: You should also be aware that where you link to another site from the Site, CPH:DOX has no control over that other Site. Accordingly, CPH:DOX cannot guarantee that the controller of that Site will respect your privacy in the same manner as CPH:DOX.

Access by children: If you are aged 18 or younger, please assure that you have your parent’s/guardian’s permission before submitting your personal information to this Site. If you don’t have your parent’s/guardian’s consent, you should not submit any personal information to this Site. Notices and Revisions: Our business changes constantly, and our Privacy Statement and the Terms of Use will change also. We may e-mail periodic reminders of our notices and conditions, unless you have instructed us not to, but you should check our Site frequently to see recent changes. Unless stated otherwise, our current Privacy Statement applies to all information that we have about you and your account. We stand behind the promises we make, however, and will never materially change our policies and practices to make them less protective of customer information collected in the past without the consent of the persons affected. If you have any concern about privacy on this Site please contact us at info@cphdox.dk