This Data Processing Agreement (“Agreement”) forms part of the Main Agreement between Alethium Limited (“Processor”) and the user (“Controller”). In this Agreement, the terms “Controller,” “Processor,” “Personal Data,” “Processing,” and “Subprocessor” have the meanings given to them in the UK General Data Protection Regulation (“UK GDPR”). This Agreement sets out the Processor’s obligations regarding the Processing of Personal Data on behalf of the Controller.

For the purposes of this Agreement:

• “Controller” means the party that determines the purposes and means of Processing Personal Data.

• “Processor” means Alethium Limited.

• “Personal Data” means any information relating to an identified or identifiable natural person.

• “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means.

• “Subprocessor” means any third party engaged by the Processor to perform any Processing on behalf of the Controller.

• “Services” means the services provided by the Processor under the Main Agreement.

The Processor shall process Personal Data solely on the documented instructions of the Controller as set forth in this Agreement and the Main Agreement. The categories of Personal Data to be processed include:

• Registration details: such as name, contact information, and related data provided during account registration.

• Transactional details: including order information, payment details, and any other information arising from transactions made via the Platform.

The Processor shall Process Personal Data for the duration of the Main Agreement and only for the purposes specified herein.

The Processor agrees to implement appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

The Processor shall assist the Controller in responding to data subject requests to exercise rights under the UK GDPR (including access, rectification, erasure, and data portability), taking into account the nature of the Processing and the information available to the Processor.

The Processor may engage the following subprocessors to assist with the Processing of Personal Data:

The Processor shall not transfer any Personal Data outside the United Kingdom or the European Union.

Upon termination of the Main Agreement, the Processor shall, at the Controller’s instruction, return or delete all Personal Data processed on behalf of the Controller, unless otherwise required by applicable law.

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this Agreement and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, upon reasonable notice.

The Processor’s liability regarding data Processing is subject to the terms of the Main Agreement and applicable law. Each party remains liable for its own compliance with applicable data protection laws.