Accountability Onesurance attaches great importance to your privacy and the careful handling of your personal data. We therefore do our utmost to explain to you in clear and simple language in this privacy statement which personal data we collect from you, what we use it for and what your rights are in this regard. This version of this privacy statement (version: 0.01) dates from 07 April 2023 ​​Table of contents ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​

​ ​ ​Who are we? “We”, “Us” or “our” means Onesurance with registered office at 4838GZ in Breda, Rithmeesterpark 50-A1 and with company number 87521997. If you have any questions, comments or complaints regarding this privacy statement or the processing of your personal data or you wish to exercise one of your rights, please contact us by e-mail at privacy@onesurance.nl Scope This privacy statement applies to this website, our direct marketing activities and the general organization of Onesurance. Why and how do we process your personal data? When you visit our website and/or are in contact with us, it is possible that certain personal data is processed. Below you will find more information about the various processing activities that may apply to you. Use of our website

When you visit our website, we may process personal data using online techniques such as cookies, trackers, scripts and similar technologies (hereinafter referred to as 'cookies'). This may involve (1) essential cookies that are strictly necessary to send a message via an electronic communications network, to guarantee the security of our website or to store information about the provision of a service expressly requested by you; (2) functional cookies that further shape your use of our website; (3) analytical cookies to measure and analyze your use of our website; (4) marketing cookies to provide you with (personalized) advertisements; and (5) other third-party cookies that we allow on our website. More information about this can be found in our cookie statement. Contact via website Consent - Contact forms are available on our website to contact us. You can also always reach us by e-mail or telephone. We process this personal data to process your contact request but have no insight into or control over any other personal data that you provide to us via the open input fields. We request that you do not provide any confidential or sensitive data here. This processing is based on your consent. Please note that you can withdraw this at any time. This withdrawal will not affect the lawfulness of the processing that took place before the withdrawal of your consent. What personal data do we process? Identification and contact details Other data such as may be spontaneously communicated in the contact form. How do we obtain this personal data? Directly from you when filling out our contact form How long do we store it? Up to 1 year after handling the contact request plus the archiving period of the related communication (such as e-mails) to be archived With whom can we share this personal data (other than the affiliated and associated companies)? Processors (such as our hosting partner) that we use in the context of our website, the contact or our relationship management Is automated individual decision-making carried out in these activities? No Do these activities involve a transfer outside the EEA? No

Customer relationship management (incl. prospecting new customers) Legitimate interest – Onesurance is always looking for new customers, actively establishes new contacts for this purpose and builds relationships with existing customers. In this context, your personal data will be processed (e.g. to invite you to other forms of communication, an event, etc.). This processing is based on the legitimate interest of Onesurance. You can always object to this in accordance with the conditions as described under ‘right to object’ in the chapter ‘What are your rights and how can you exercise them’. Which personal data do we process? Identification and contact details Other data that may have been discussed during further contacts How do we obtain these personal data? Directly from you via relationship management How long do we store them? Up to 7 years after completion of a last order or contact With whom can we share these personal data (other than the affiliated and associated companies)? Processors (such as our CRM platform) that we use in the context of our website, the contact or our relationship management Are these activities automated?

e individual decision-making? No Do these activities involve a transfer outside the EEA? No Sending newsletters Consent - You can subscribe to our newsletter on our website. We process this personal data in order to contact you when a new newsletter is available for you.

This processing is based on your consent. You have the option to withdraw your consent at any time without this affecting the lawfulness of the data processing up to the moment of withdrawal. In concrete terms, this means that your consent remains valid for all previous newsletters, but you will no longer receive newsletters. What personal data do we process? Identification and contact details How do we obtain this personal data? Directly from you when you register How long do we store it? As long as the consent is not withdrawn With whom can we share this personal data (other than the affiliated and associated companies)? Processors (such as our e-mail platform) that we use in the context of our website or the delivery of newsletters Is automated individual decision-making carried out in these activities? No Do these activities involve a transfer outside the EEA? No Recruitment and selection Consent for (spontaneous) applications and maintaining a recruitment reserve -Legitimate interest for active recruitment – ​​When you (spontaneously) apply for a position at Onesurance, Onesurance processes personal data about you. We do this for the purpose of recruiting and selecting employees for open or future vacancies. This processing (including the creation of a recruitment reserve) is done on the basis of your consent. You have the option to withdraw your consent at any time without this affecting the lawfulness of the data processing up to the moment of withdrawal. When Onesurance actively recruits itself, Onesurance processes personal data about you. This is done solely on the basis of data that is publicly available about you (e.g. on platforms such as LinkedIn and Google) or data that was provided to us by third parties. This processing is done on the basis of the legitimate interest of Onesurance. You can always object to this in accordance with the conditions as described under ‘Right to object’ in the chapter ‘What are your rights and how can you exercise them’. Finally, we assume our legitimate interest to pass on your personal data to our affiliated and associated companies in the context of our recruitment process. We always do this with a view to finding a suitable assignment for you. You can always object to this in accordance with the conditions as described under ‘right to object’ in the chapter ‘What are your rights and how can you exercise them’. What personal data do we process?

Identification and contact details Other data such as may be stated on your CV: How do we obtain this personal data? (Spontaneous) application: directly from you when you apply Active recruitment: via third parties such as public platforms or intermediaries How long do we store them? For applicants who are not selected: we store the personal data about your application for a maximum of 1 year after the application. For applicants within our recruitment reserve: as long as the consent is not withdrawn and for a maximum of 3 years after the application. With whom may we share this personal data (other than affiliated and associated companies)? Processors (such as recruitment agencies) that we use for recruiting and selecting purposes. Are these activities subject to automated individual decision-making? No Do these activities involve a transfer outside the EEA? No Sharing personal data with third parties When you visit our website or use our products and services as a customer, we may use third parties in this context, such as partners, affiliated and associated companies and suppliers to whom we pass on your personal data. These third parties help us to deliver, support, develop and gain insight into the use of our products and services and provide services such as hosting, customer and technical support, marketing, analysis, content delivery and/or executing online payments. We may also share data (including personal data) with third parties in the context of a reorganization, restructuring, merger, sale or other transfer of business assets. We share the information you provide, automatically collected information, and information from others with these third parties to the extent necessary to enable them to perform our services.

ellen to provide their services or support. In the activities described above, we indicate per activity with which categories of third parties, other than the affiliated and associated companies, we share your personal data.

Furthermore, we may have to provide access to your data or pass on your data due to a legal obligation. This to authorities, government institutions or other third parties. Finally, we may pass on your data if this should prove necessary in the context of your vital interest. Transfer of personal data outside the EEA Onesurance always tries to limit the transfer of personal data to third parties outside the European Economic Area (hereinafter: "EEA"). If this is nevertheless the case, we will ensure as soon as possible in this situation that this transfer is brought into compliance with the GDPR (by, among other things, the presence of an adequacy decision in the country concerned or the arrangement of an appropriate alternative, additional measures if necessary, etc.). For the specific transfers, we refer to the chapter "Why and how do we process your personal data?"). How long do we store your personal data? We do not store your personal data for longer than is strictly necessary to achieve the purposes for which the personal data was collected or in accordance with the legal obligation imposed on us. For the specific retention period, we refer to the chapter “Why and how do we process your personal data?”). Automated individual decision-making European data protection legislation (GDPR) imposes certain conditions on organisations when they make decisions about individuals solely based on processing that is fully automated, including profiling, and when these decisions have legal consequences or other significant consequences. Onesurance does not engage in this type of decision-making. What are your rights and how can you exercise them? Onesurance believes it is important that you always retain control over the processing of your personal data. Below you will find more information about the various rights that you have and can invoke with regard to the processing of your personal data: Depending on the processing and the legal basis of that processing, it is possible that certain conditions or restrictions are linked to the exercise of the rights below. To exercise the above rights, or information about them, you can contact privacy@onesurance.nl. We will also provide more information if certain modalities are linked to your request. Furthermore, we may ask for additional information to verify your identity so that your personal data is not wrongly deleted or shared with someone who is not entitled to it. We will try to respond to your request without undue delay, but in any case within one month of receipt. If we are unable to respond within one month and wish to extend the term, or if we will not comply with the request, we will notify you of this. Right of access: In the event that we process your personal data, you have the right to access your personal data, as well as to certain additional information as described in this privacy statement. You have the right to receive from us a copy of the personal data that we have in our possession, provided that this does not adversely affect the rights and freedoms of others. The first copy will be provided to you free of charge, but in the event of repeated requests we reserve the right to charge a reasonable fee. Right to rectification: If the personal data we hold about you is inaccurate or incomplete, you have the right to have this information corrected or, taking into account the purposes of the processing, completed.

Right to restriction of processing: You have the right to have the processing of your personal data restricted. This means that the personal data may only be stored by us and may only be used for limited purposes. This right applies if one of the following situations applies: You contest the accuracy of the personal data, for a period that enables us to verify the accuracy of the personal data; The processing is unlawful but you oppose the erasure of the personal data and request the restriction of its use instead; We no longer need your personal data for the processing purposes described above, but you require it for the establishment, exercise or defence of legal claims; or, You have objected to processing and request us to restrict the processing pending the response to thee question whether our interests outweigh yours. In addition to our right to store your personal data, we may still process it, but only: With your consent; For the establishment, exercise or defence of legal claims; To protect the rights of another natural or legal person; or For reasons of public interest. You will be informed before we lift the restriction of processing of your personal data. Right to data portability: If the processing of your personal data is based on your consent, and the processing is carried out by automated means, you have the right to receive a copy of your personal data in a structured, commonly used and machine-readable format. You also have the right to have your personal data transmitted directly by us to a third party, if this is technically feasible. This right does not apply where it would adversely affect the rights and freedoms of others. Right to object: You have the right to object to the processing of your personal data in the activities described above. In the latter case, this is only possible if the activity is related to (1) the performance of a task in the public interest or in the exercise of a task in the context of the exercise of public authority vested in us or (2) the protection of our legitimate interests or those of a third party.

If you object to the processing of your personal data, we will no longer process the personal data unless we can demonstrate legitimate interests for the processing that outweigh your interests, fundamental rights and freedoms. If your personal data is processed for direct marketing purposes, regardless of whether it concerns initial or further processing, you have the right to object to this processing at any time and free of charge, including in the case of profiling to the extent that it relates to direct marketing. If you make such an objection, we will stop processing your personal data for this purpose. Right to erasure (right to be forgotten): You have the right to request us to erase your personal data. This means that the personal data must be deleted by us without undue delay. This right applies if one of the following situations applies: The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; You withdraw your consent on which the processing is based, and there is no other legal ground for processing your personal data; Your personal data have been processed unlawfully; Erasure of your personal data is necessary to comply with European or Dutch law; If you request us to erase your personal data, we will erase the personal data unless one of the following situations (exceptions) applies: The processing is part of the exercise of the right to freedom of expression and information; Erasure is not appropriate for reasons of public interest in the area of ​​public health; Erasure is not appropriate for the need for archiving in the public interest, or for statistical purposes; There is a legal obligation to retain the data; or, Erasure is not appropriate for the institution, exercise or substantiation of a legal claim. Right to withdraw your consent: If you have given consent for certain processing of your personal data, you can withdraw it at any time. We try to make withdrawing your consent as easy as possible and, to the extent possible, as easy as giving your consent.

Right to object to the processing of your personal data in automated individual decision-making: When your personal data is used in the context of automated individual decision-making and when these decisions have legal consequences or other significant consequences, you can request us to no longer use your data. If you object to this processing, we will stop or limit the processing unless there are compelling reasons to do so. Who can I contact with further questions or possible complaints about privacy? If, after reading this privacy statement, you have further questions or comments regarding the collection and processing of your personal data, you can always contact us at the following e-mail address: privacy@onesurance.nl You also have the right to submit any comments and remarks or complaints to the supervisory authority responsible for data protection. You can do this in the EU Member State where you reside, the pl