This Privacy Policy is provided in compliance with the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018, EU General Data Protection Regulation (EU GDPR, Regulation 2016/679), California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other applicable international data protection laws (e.g., PIPEDA, LGPD, APPI, PDPL, Australian Privacy Act, Indian DPDP Act). It applies to users (hereinafter “Users” or “User”) of the Spokel.com website and applications, including desktop and mobile versions (hereinafter “Website and Apps”), operated by Binariver Ltd., located at 27 Old Gloucester Street, London, WC1N 3AX, United Kingdom (Company Number 10620589), the Data Controller (hereinafter “Controller”). Spokel.com is a real estate listing platform where companies, real estate agencies, and private individuals publish listings for sale or rent, and customers can search and contact them. This policy describes the methods for managing the Website and Apps with respect to personal data processing and informs Users about the purposes and methods of processing their personal data when provided. The services offered by the Controller are intended for individuals aged 18 and over. If the Controller becomes aware of data processing involving individuals under 18 without valid parental or legal guardian consent, it reserves the right to terminate the use of the service and delete the collected data. Terms not defined in this Privacy Policy have the same meaning as in the General Terms and Conditions available on the Website and Apps. Users publishing real estate listings (e.g., agencies, private individuals) must comply with the General Terms and Conditions and this Privacy Policy, taking responsibility for any third-party data communicated or published (e.g., property details, contact information), ensuring they have the legal right to do so. The Controller is not liable for third-party claims arising from illegitimate data use. This policy applies solely to Spokel.com’s Website and Apps and does not cover other websites accessible via links.

The Controller ensures that personal data processing complies with the principles of: - Lawfulness, fairness, and transparency (UK GDPR Art. 5(1)(a); EU GDPR Art. 5(1)(a); CCPA S.1798.100). - Purpose limitation (data collected for specified purposes). - Data minimisation (only necessary data collected). - Accuracy (data kept up to date). - Storage limitation (data retained only as needed). - Integrity and confidentiality (data protected against unauthorized access). - Accountability (compliance demonstrated). These principles align with jurisdiction-specific laws (e.g., PIPEDA Principle 4.1, LGPD Art. 6, APPI Art. 16) as outlined in the Customer Jurisdiction Compliance Framework.

Users are categorized as follows: - Basic Users: Customers who browse real estate listings anonymously or register to save searches, contact advertisers, or receive updates. - Professional Users: Real estate agencies, companies, or private individuals who, after signing a Service Contract, publish listings or access advanced services (e.g., analytics, priority listings).

Personal data provided by Users through the Website and Apps are processed with their consent, contract performance, or other lawful bases for the following purposes, tailored to Spokel.com’s real estate platform and aligned with jurisdiction-specific requirements:

- Purpose: Enable services such as browsing, saving, or searching real estate listings, contacting advertisers, or receiving automated listing updates. - Data Collected: Name, surname, email address, phone number (mandatory for registration). Optional data (e.g., address, property preferences) may be provided via the User Profile. - Legal Basis: - UK/EU: Consent (UK GDPR Art. 6(1)(a); EU GDPR Art. 6(1)(a)) or contract performance (Art. 6(1)(b)). - California: Consent per CCPA S.1798.140(v). - Canada: Consent per PIPEDA Principle 4.3. - Argentina, Brazil, Japan, Australia, India: Consent per PDPL Art. 3, LGPD Art. 7, APPI Art. 16, APP 3, DPDP Act S.6. - Other Countries: UK GDPR baseline (Art. 6(1)(a)). - Optional Nature: Mandatory data are required for registration; failure to provide them prevents access to advanced services (e.g., saving searches, contacting advertisers). Optional data provision does not affect service access.

- Purpose: Allow Basic Users to share data with advertisers (e.g., real estate agencies, private listers) or forward search preferences to relevant professionals for property inquiries. - Data Collected: Name, email, phone, search preferences (e.g., property type, location, budget). - Legal Basis: Consent (UK GDPR Art. 6(1)(a); EU GDPR Art. 6(1)(a); CCPA S.1798.140(v); PIPEDA Principle 4.3; LGPD Art. 7; APPI Art. 16; PDPL Art. 3; APP 3; DPDP Act S.6). - Optional Nature: Optional; non-provision limits contact or search forwarding but does not affect other services.

- Purpose: Facilitate listing publication by Professional Users (agencies, companies, private individuals) or provide services like mortgage advice via third-party providers (e.g., financial intermediaries). - Data Collected: For listing publication: Name, surname, company name (if applicable), email, phone, property details. For mortgage advice: Name, email, phone, financial preferences. - Legal Basis: - UK/EU: Consent (UK GDPR Art. 6(1)(a)) or contract performance (Art. 6(1)(b)). - California: Consent per CCPA S.1798.140(v). - Other jurisdictions: Consent or contract per local laws (e.g., LGPD Art. 7, DPDP Act S.6). - Optional Nature: Mandatory for Professional Users to publish listings or access third-party services (e.g., mortgage advice, requiring third-party terms). Non-provision prevents access to these services but does not affect other functionalities. - Note: Third parties (e.g., banks, agencies) act as independent controllers; Binariver Ltd. is not liable for their processing.

- Purpose: Provide real estate sector news, promotional communications, and personalized marketing based on User activity (e.g., property searches, listing interactions). - Data Collected: Name, email, browsing/activity data. - Legal Basis: - UK/EU: Consent (UK GDPR Art. 6(1)(a); EU GDPR Art. 6(1)(a)). - California: Consent with opt-out rights (CCPA S.1798.120). - Other jurisdictions: Consent per local laws (e.g., APPI Art. 16, APP 6). - Optional Nature: Users can opt out via User Profile settings (“I would like to receive promotional notices” or “I would like to receive newsletters”). California residents can opt out of data “sales” or “sharing” per CCPA S.1798.120. Non-provision does not affect service access.

- Purpose: Enable Professional Users to publish real estate listings, access analytics, or manage client inquiries after signing a Service Contract. - Data Collected: Name, surname, company name, municipality, email, phone, listing details (e.g., property address, price). - Legal Basis: - UK/EU: Contract performance (UK GDPR Art. 6(1)(b)). - California: Contract performance per CCPA S.1798.140(v). - Other jurisdictions: Contract per local laws (e.g., LGPD Art. 7(II)). - Optional Nature: Mandatory for professional services; non-provision prevents contract execution. Failure to provide mandatory data for registration (Purpose A) prevents access to services under Purposes B, C, and D. Processing complies with the Customer Jurisdiction Compliance Framework (Attachment A, Compliance and Governance Model).

The Controller processes personal data in compliance with UK GDPR (Art. 25, 32), EU GDPR (Art. 25, 32), CCPA (S.1798.100), and other laws (e.g., LGPD Art. 46, APPI Art. 20), using manual, IT, or telematic systems, including automated tools for storage, management, and transmission. Data are protected with measures like encryption, access controls, and ISO 27001-aligned cybersecurity to minimize risks of unauthorized access, disclosure, loss, or destruction. Storage Duration: - Data are retained only as necessary for the purposes (e.g., saving searches, publishing listings, contacting advertisers). - Without a deletion request, data are stored for up to 10 years from the User’s last access, per UK GDPR Art. 5(1)(e), except: - California: Data deletion upon CCPA request (S.1798.105). - Other Jurisdictions: Per local laws (e.g., LGPD Art. 16, APPI Art. 19). - Users may request deletion by emailing connect@binariver.com, per UK GDPR Art. 7(3), CCPA S.1798.105, or equivalent.

Personal data may be processed by: - Data Processors (UK GDPR Art. 28): Contracted entities (e.g., cloud providers, IT support) under strict agreements. - Authorized Personnel (UK GDPR Art. 29): Trained employees. - Third Parties: Independent controllers (e.g., real estate agencies, financial intermediaries) receiving data for services (e.g., listing inquiries, mortgage advice). The Controller is not liable for their processing. - Authorities: Data may be shared with regulatory bodies (e.g., ICO, CPPA) when required by law.

- If UK authorities demand EU customer data (e.g., inquiry data) threatening prosecution, but disclosure conflicts with EU GDPR (Art. 48), the Controller follows the Compliance and Governance Model (Section D): 1. Notify DPO immediately. 2. Verify UK legal basis (e.g., Data Protection Act 2018, S.115). 3. Consult EU client for consent/exemption. 4. Engage legal counsel to balance UK prosecution vs. EU GDPR fines (€20M or 4% turnover). 5. Minimize disclosure (e.g., pseudonymization). 6. Notify EU DPA of potential breach. 7. Document decision. 8. Escalate to Board for high-risk cases. - Mitigation: EU data stored in EU-based servers, encrypted, with conflict clauses in DPAs (Attachment D).

Personal data may be transferred outside the UK or EEA for service execution (e.g., hosting listing data, processing inquiries), per UK GDPR (Art. 44-50), EU GDPR (Art. 44-50), CCPA (S.1798.140), and local laws (e.g., LGPD Art. 33, APPI Art. 24). Transfers are managed as follows: - UK: UK GDPR-compliant. - EU: EU GDPR, SCCs for non-EEA transfers. - USA (California): SCCs, DPAs addressing CCPA and CLOUD Act (S.103). - Canada: Adequacy decision (EU GDPR), PIPEDA compliance. - Argentina: PDPL Art. 12, DPAs. - Brazil: LGPD Art. 33, SCCs. - Japan: Adequacy decision (EU GDPR), APPI Art. 24. - Australia: APP 8, BCRs/contracts. - India: DPDP Act S.16, SCCs. - Other Countries: UK GDPR baseline, SCCs/DPAs. Safeguards include encryption, pseudonymization, and audits (see Attachment D, Compliance and Governance Model).

The Website and Apps collect browsing data (e.g., IP addresses, domain names, URI addresses, timestamps, server response codes) inherent to internet protocols. These are used for: - Anonymous statistical analysis (e.g., popular listings). - Functionality monitoring. - Investigating cybercrimes upon authority request (e.g., ICO, CPPA). Data are not linked to identifiable individuals unless required by law.

- Cookies: Enhance user experience (e.g., saving search preferences) and provide relevant ads. No personal data are transmitted. California residents can opt out of cookie-based “sales” per CCPA S.1798.120. Users can disable cookies via browser settings (see Cookie Policy). - Search Engines: Real estate listings may be indexed by third-party search engines. Cached copies may persist briefly after removal; Users can request updates from search engines. - Location Data: If enabled, processed anonymously for location-based features (e.g., property searches). Users can disable this via device settings. See the Cookie Policy on the Website and Apps.

Users have rights under UK GDPR (Art. 15-22), EU GDPR (Art. 15-22), CCPA (S.1798.100-125), and other laws (e.g., LGPD Art. 18, APPI Art. 28, DPDP Act S.11): - Access: Confirm data processing and obtain details. - Rectification: Correct inaccurate data. - Erasure: Request deletion (“right to be forgotten”; CCPA “right to delete”). - Restriction: Limit processing. - Portability: Receive/transfer data. - Objection: Oppose processing (e.g., marketing). - Opt-Out (California): Opt out of data sales/sharing (CCPA S.1798.120). - Non-Discrimination (California): No denial of services for exercising CCPA rights (S.1798.125). - Withdraw Consent: Revoke consent. - Lodge a Complaint: Contact authorities (e.g., ICO, CPPA, ANPD). To exercise rights, contact: - Data Controller: Binariver Ltd., 27 Old Gloucester Street, London, WC1N 3AX, UK, connect@spokel.com. - Data Protection Officer: dpo@spokel.com. Organisation, Management and Control Model and Code of Ethics Binariver Ltd.’s Organisation, Management and Control Model prevents corporate offenses and ensures ethical conduct for Spokel.com. The Code of Ethics (Attachment B, Compliance and Governance Model) guides operations with transparency and data protection. A Supervisory Body monitors compliance. Review these on the Website.

Reports of breaches (e.g., data violations, bribery) per PIDA 1998 and EU Whistleblowing Directive (2019/1937) best practices are made via whistleblowing.spokel.com (see Attachment C, Compliance and Governance Model).

Significant changes will be notified via the Website, Apps, or email. Date of Last Update: 15 May 2025

- Spokel.com Specificity: Tailored to real estate listing activities (publishing by agencies/companies/private individuals, customer searches/contact), distinct from Binariver’s generic policy covering ERP/CRM/medical apps. - CCPA/CPRA: Integrated California-specific rights (opt-out, deletion, non-discrimination), legal basis (S.1798.140(v)), and CLOUD Act safeguards, per Attachment A (USA/California). - Other Country Groups: Aligns with Attachment A’s frameworks (UK, EU, Canada, Argentina, Brazil, Japan, Australia, India, Other Countries), with legal bases and authorities (e.g., OAIC, ANPD). - UK-EU Conflict: Retains procedure from Compliance and Governance Model (Section D), adapted for real estate data (e.g., inquiry details). - Real Estate Focus: Emphasizes listing publication, advertiser contact, and search forwarding, with third-party liability clarified. - Date: Updated to 15 May 2025, 03:04 PM BST. - Consistency: Aligns with Attachments A-D, ensuring jurisdiction-specific compliance and referencing Binariver’s broader governance framework.