Privacy Statement

Privacy Statement – Atlas Clara Relocation Research Support Services

Version 1.0 | English | May 2026

This Privacy Statement was last updated on 14 May 2026.

1. Introduction

1.1.Purpose of this Privacy Statement

• Atlas Clara values your privacy and is committed to protecting your personal data. The purpose of this Privacy Statement is to inform you, as the Client, about how your personal information is collected, used, stored, and protected when you engage with Atlas Clara for relocation research support services.

• Under the GDPR/AVG, Atlas Clara has a "duty to inform" (informatieplicht). This document explains the legal grounds for processing your data and ensures that your relationship with Atlas Clara is transparent and secure. This Statement is an integral part of the Atlas Clara General Terms and Conditions.

• For the purposes of the GDPR/AVG, Atlas Clara acts as the Data Controller (verwerkingsverantwoordelijke). This means Atlas Clara determines why and how your personal data is processed.

1.2. Who this Privacy Statement applies to

This Privacy Statement applies to you if you are:

• A Private Client (B2C): A natural person acting for personal, non-commercial purposes who enters into an Agreement with Atlas Clara for relocation support.

• A Business Client (B2B): A representative, contact person, or employee of a company that engages Atlas Clara’s services.

• A Prospective Client: Someone who communicates with Atlas Clara via email or other channels to inquire about relocation services.

• A Website Visitor: Anyone navigating the Atlas Clara website.

2. Identity and Contact Details of the Controller

2.1. Data Controller Identification

This privacy statement applies to the services and data processing activities of the Service Provider. The Service Provider and acts as the controller within the meaning of the General Data Protection Regulation (GDPR / AVG).

• Name: Atlas Clara

• Legal form: not yet registered (pre-launch/founding phase)

• Chamber of Commerce (KvK) number: not yet registered (pre-launch/founding phase)

• VAT number (BTW-id): not yet registered (pre-launch/founding phase)

• Registered Business Address: (pre-launch/founding phase) Amsterdam, The Netherlands

• Email: hello@atlasclara.com

The Service Provider is the controller (verwerkingsverantwoordelijke) within the meaning of the General Data Protection Regulation (GDPR/AVG). This means that the Service Provider determines the purposes and means of the processing of your personal data in the context of the relocation research support services it provides.

All processing of personal data by the Service Provider is subject to Dutch and European data protection law, including the GDPR/AVG and the Dutch Implementation Act on the GDPR (Uitvoeringswet Algemene Verordening Gegevensbescherming, UAVG).

Atlas Clara is the “controller” within the meaning of the General Data Protection Regulation (GDPR / AVG). Atlas Clara does not have a Data Protection Officer (DPO). Contact Atlas Clara for any privacy related questions at hello@atlasclara.com.

2.2. Data Protection Officer (DPO)

• The Service Provider aims to be a sole trader (eenmanszaak) operating as a small-scale service provider. As such, the Service Provider is not legally required to appoint a Data Protection Officer (DPO) under the GDPR/AVG.

• The Service Provider has not voluntarily appointed a DPO. For all privacy-related inquiries and requests, please contact the Service Provider directly using the contact details set out in this Privacy Statement.

3. Scope

3.1. When this Privacy Statement Applies

This Privacy Statement applies whenever the Service Provider processes your personal data in connection with:

• the provision of relocation research support services, including any relocation package selected by you through the website of the Service Provider;

• the conclusion, performance, or termination of an Agreement between you and the Service Provider, including all pre-contractual communications and enquiries;

• the use of the website of the Service Provider, including through cookies and similar tracking technologies as described in this Privacy Statement;

• any direct communication between you and the Service Provider by email, contact form, or any other channel;

• the sending of service-related communications, administrative notifications, or, where applicable and with your consent, commercial communications;

• compliance by the Service Provider with legal obligations under Dutch or European law, including tax, accounting, and administrative obligations.

This Privacy Statement applies regardless of whether you are an individual consumer (B2C) or a legal entity or professional acting for business purposes (B2B). Where a distinction exists between the two categories of Clients, this is explicitly indicated in the relevant section.

This Privacy Statement does not apply to the processing activities of third parties whose websites or services may be accessible via links on the website of the Service Provider. The Service Provider has no control over such third-party processing and accepts no responsibility for it. You are encouraged to consult the privacy policies of any third-party websites or services you access.

3.2. Relationship with the General Terms and Conditions of the Service Provider

• This Privacy Statement forms an integral part of the General Terms and Conditions of the Service Provider and of any Agreement concluded between the Service Provider and the Client, in accordance with the General Terms and Conditions.

• In the event of any conflict or inconsistency between the provisions of this Privacy Statement and the General Terms and Conditions with respect to the processing of personal data, this Privacy Statement shall prevail.

• Amendments to the General Terms and Conditions do not automatically constitute amendments to this Privacy Statement, and vice versa. Each document is updated independently and carries its own version date.

• By entering into an Agreement with the Service Provider, or by using the website of the Service Provider, you acknowledge that you have read, understood, and accepted this Privacy Statement in its current version. Where processing is based on your consent, the Service Provider will request that consent separately and explicitly, in accordance with the requirements of the GDPR/AVG.

4. Categories of Data Subjects

The Service Provider processes personal data belonging to different groups of individuals. Depending on your specific relationship with the Service Provider, the types of data collected and the reasons for processing may vary. This Privacy Statement applies to you if you fall into one of the following categories:

• Individual Clients (B2C consumers): You are a natural person acting for personal and non-commercial purposes who enters into an Agreement with the Service Provider for relocation research and support services.

• Business Clients and Contact Persons (B2B): You are a representative, a contact person, or an employee of a legal entity or company that engages the professional services of the Service Provider. In this case, the Service Provider processes your professional contact details to facilitate the business relationship.

• Prospective Clients: You are an individual who has not yet entered into a formal Agreement but has communicated with the Service Provider via email or other digital channels to inquire about relocation packages, pricing, or availability.

• Website Visitors: You are an individual navigating the website of the Service Provider. Even if you do not actively submit a form, certain technical data may be processed during your visit to ensure the website functions securely and correctly.

5. Personal Data We Collect

The Service Provider collects and processes personal data to the extent necessary to provide high-quality relocation research and to fulfill legal obligations.

5.1. Data Provided by You (Direct Collection)

The Service Provider collects personal information that you actively provide when you inquire about or purchase a relocation package. This occurs primarily through the intake form or survey, email correspondence, and online meetings.

• Identification and Contact Details: Your first and last name, current residential address, country and city of destination, email address, and telephone or messaging numbers (such as WhatsApp).

• Relocation Profile and Preferences: Information you provide regarding your household situation, specific moving instructions, housing preferences, and any other details relevant to the performance of the relocation research.

• Financial and Transaction Data: Your bank account number as it appears on invoices or payment statements, along with details regarding payments made for the services provided.

• Communication Data: The content of your emails, messages, and notes from consultations which are necessary to track the progress of your assignment.

5.2. Special Categories of Personal Data (If Applicable) and Minors

• The Service Provider does not intentionally collect or process "special" categories of personal data as defined by the GDPR/AVG. This includes, but is not limited to, data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, data concerning a natural person's sex life or sexual orientation, and criminal records or offences.

• The Service Provider does not process citizen service numbers (burgerservicenummer, BSN) of any Client, contact person, or website visitor-

• Additional Safeguards: If, despite the above, you voluntarily include information of a special or sensitive nature in your intake form, email correspondence, or any other communication with the Service Provider, the Service Provider will process such information only to the extent strictly necessary to fulfil your specific research request, on the basis of your explicit consent within the meaning of the GDPR/AVG.

• Minors: The services of the Service Provider are intended exclusively for adults. The website and services of the Service Provider are not directed at natural persons under the age of sixteen (16) years, and the Service Provider does not knowingly or intentionally collect personal data from individuals under that age.

• If you believe that the Service Provider has inadvertently collected special categories of personal data without a valid legal basis or your explicit consent or collected personal data from a person under the age of sixteen (16) without the required parental or guardian consent, you are encouraged to contact the Service Provider without delay at hello@atlasclara.com. The Service Provider will investigate and, where appropriate, delete the data in question.

5.3. Financial and Transaction Data

In order to process payments and fulfil its tax and accounting obligations under Dutch law, the Service Provider processes the following financial and transaction data:

• bank account numbers as they appear on bank statements, payment confirmations, or invoices submitted or received in connection with the Agreement;

• invoicing data, including billing name, billing address, invoice reference number, invoice date, and the amount invoiced including applicable VAT;

• purchase history, consisting of the service packages ordered, the corresponding fees paid, and the dates of the transactions;

• payment status records, including confirmations of payment, records of outstanding amounts, and, where applicable, records relating to late payment, statutory interest, or extrajudicial collection costs in accordance with Dutch law (Wet Incassokosten, WIK).

5.4. Communication Data (Emails & Messages)

The Service Provider processes personal data contained in all communications exchanged between you and the Service Provider, whether prior to, during, or following the performance of the Agreement. This includes:

• the full content of emails, contact form submissions, and any other written correspondence between you and the Service Provider;

• messaging data exchanged via communication platforms or applications, where you have chosen to use such a channel to contact the Service Provider;

• the date, time, and subject matter of communications;

• any attachments, documents, or other files shared by you in the course of the engagement;

• records of telephone or video calls, to the extent that notes or summaries are made by the Service Provider for the purpose of performing the assignment;

• internal notes and records maintained by the Service Provider in connection with the management of the client relationship and the performance of the Agreement.

Communication data are processed for the purpose of performing the Agreement, managing the client relationship, responding to complaints or disputes, and complying with the administrative and legal obligations of the Service Provider. The Service Provider treats all communication data with strict confidentiality, in accordance with the General Terms and Conditions.

5.5. Technical Data (Automatically Collected Data)

When you visit the website of the Service Provider, certain technical information is collected automatically to ensure the security and functionality of the digital environment. This includes:

• Technical Identifiers: Your IP address, browser type, and version.

• Device Information: The type of device you use to access the website and your operating system.

• Usage Data: Information about how you navigate the website, including timestamps of your visit.

This data is collected primarily through cookies and similar technologies. For more information on how to manage these, you may refer to the Cookie Policy of the Service Provider.

5.6. Accuracy of Data and Your Responsibility

Because the Service Provider relies on the information you provide to deliver personalized relocation research, you are responsible for ensuring that the personal data you share is accurate and up to date. If your situation changes during the performance of the service, you are encouraged to inform the Service Provider so your file can be updated accordingly. Regardless of which category you fall into, the Service Provider treats your privacy with the same level of professional care and legal compliance.

6. Purpose of Processing (Legal Bases for Processing)

The Service Provider processes personal data only where a valid legal basis exists the GDPR/AVG. For each processing purpose, the applicable legal basis is identified below. The Service Provider does not process your personal data for purposes incompatible with those for which they were originally collected, unless a separate legal basis exists or you have given your explicit consent.

6.1. Performance of a Contract

The Service Provider processes your personal data to the extent necessary to perform the Agreement concluded with you, including all pre-contractual steps taken at your request. This includes:

• assessing your relocation situation and personal circumstances on the basis of the completed intake form or survey;

• preparing, planning, and executing the relocation research assignment;

• delivering the agreed Deliverable electronically within the agreed timeframe;

• managing the progress of the assignment, including notifying you of any delays, changes, or issues arising during performance;

• processing your payment and issuing the applicable invoice;

• responding to questions, complaints, or requests directly related to the performance of the Agreement;

Without processing the personal data necessary for the above purposes, the Service Provider would be unable to perform the Agreement. If you decline to provide the necessary data, the Service Provider may be unable to commence or complete the assignment.

6.2. Billing and Administrative Compliance

The Service Provider processes your personal data for the purpose of managing its financial administration and fulfilling its billing obligations towards you and towards the competent Dutch authorities. This includes:

• preparing and sending invoices for the agreed service fee, including the applicable VAT in accordance with Dutch VAT law;

• recording payments received, monitoring payment status, and, where necessary, issuing payment reminders (aanmaningen) and applying statutory interest and extrajudicial collection costs in accordance with Dutch law (Wet Incassokosten, WIK);

• maintaining a complete and accurate financial administration in compliance with the statutory bookkeeping obligations under the Dutch Civil Code (Burgerlijk Wetboek) and the requirements of the Dutch Tax Authority (Belastingdienst);

6.3. Customer Support and Relationship Management

The Service Provider processes your personal data for the purpose of providing you with adequate customer support and maintaining an effective and professional working relationship throughout the duration of the Agreement and, where applicable, after its conclusion. This includes:

• responding to your questions, requests, and communications by email, telephone, or any other agreed communication channel, in a timely and professional manner;

• scheduling, confirming, and following up on appointments or consultations related to the performance of the assignment;

• notifying you of changes to the service, delivery timelines, or any other matter relevant to the Agreement, in accordance with the General Terms and Conditions;

• managing complaints and disputes in accordance with the complaints procedure set out in the General Terms and Conditions, including maintaining a record of the complaint and the steps taken to resolve it;

• following up after delivery of the Deliverable to the extent necessary to confirm receipt, address any review or acceptance queries within the applicable review period, and close the assignment properly.

The legitimate interest of the Service Provider in processing personal data for customer support purposes consists of maintaining a professional, responsive, and well-documented client relationship, which is essential to the proper performance of the services offered. This interest has been balanced against your rights and interests and does not override them. You have the right to object to processing carried out on the basis of legitimate interests, as described in this Privacy Statement.

6.4. Compliance with Legal and Tax Obligations

The Service Provider is subject to a number of legal and administrative obligations under Dutch and European law that require the processing of certain personal data. This includes:

• complying with the statutory bookkeeping and financial record-keeping obligations under the Dutch Civil Code (Burgerlijk Wetboek, BW) and Dutch tax law;

• issuing correct and compliant invoices including mandatory VAT information in accordance with Dutch VAT law;

• providing information to competent authorities, including the Dutch Tax Authority (Belastingdienst), the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), or any other public body, where the Service Provider is legally required to do so;

• complying with obligations arising from the GDPR/AVG and the UAVG, including the obligation to respond to data subject requests, to report data breaches within the statutory timeframe, and to maintain an adequate record of processing activities.

6.5. Legitimate Interests of the Service Provider

The Service Provider relies on legitimate interests as a legal basis for the following processing activities:

• Customer relationship management: maintaining an adequate record of client interactions, correspondence, and completed assignments for the purpose of managing the client relationship, handling disputes, and improving the quality of the service;

• Business administration: keeping internal administrative records of concluded agreements, delivered services, and business contacts for operational and organisational purposes;

• B2B relationship management: processing the contact details and professional information of contact persons acting on behalf of business Clients, for the purpose of maintaining a professional business relationship and performing the assignment;

• Website improvement and security: processing technical and usage data collected through the website for the purpose of ensuring the security and functionality of the digital environment, detecting and preventing abuse, and generating anonymised traffic statistics to improve the website;

• Direct communication: contacting you by email or other means to respond to your enquiries, confirm appointments, notify you of minor changes to the service, or follow up on an existing assignment, where such communication is reasonably expected in the context of the professional relationship.

Before relying on legitimate interests as a legal basis, the Service Provider performs a balancing test to ensure that its interests do not override your interests, rights, or freedoms.

6.6. Consent

The Service Provider relies on your consent as a legal basis in the following specific situations:

• Placement of non-essential cookies: the Service Provider will only place analytical, functional, or marketing cookies that are not strictly necessary for the operation of the website after obtaining your prior consent through the cookie banner displayed on the website;

• Commercial communications and newsletters: where the Service Provider wishes to send you promotional or marketing communications about its services, it will only do so on the basis of your prior explicit consent, obtained separately and independently from the conclusion of the Agreement;

• Processing of special categories of personal data: where you voluntarily include sensitive personal data in your intake form or correspondence, the Service Provider will process such data only on the basis of your explicit consent within the meaning the GDPR/AVG.

Consent is always requested separately, in plain language, and for a specific and clearly defined purpose. You have the right to withdraw your consent at any time without prejudice to the lawfulness of processing carried out prior to the withdrawal. Withdrawal of consent can be communicated to the Service Provider by email at hello@atlasclara.com. Withdrawing consent does not affect the processing of personal data carried out on other legal bases, such as performance of a contract or compliance with a legal obligation.

7. Data Sharing and Third Parties (Recipients of Personal Data)

The Service Provider does not sell, rent, or otherwise commercially transfer your personal data to third parties. Personal data are only shared with third parties where this is strictly necessary for the performance of the Agreement, for compliance with a legal obligation, or where another valid legal basis under the GDPR/AVG exists. All sharing of personal data is limited to what is necessary for the specific purpose for which it takes place.

7.1. Internal Recipients

As a sole trader (eenmanszaak), the Service Provider does not operate within a corporate group and has no employees. Personal data are processed exclusively by the Service Provider itself in the context of the performance of its services. No internal sharing of personal data with other entities or affiliated companies takes place.

7.2. External Processors

The Service Provider works with a limited number of external service providers who process personal data on its behalf to facilitate business operations. These parties qualify as processors (verwerkers) within the meaning of the GDPR/AVG. The Service Provider retains full responsibility for the processing carried out by these processors on its behalf.

The categories of processors engaged by the Service Provider include:

• IT, Cloud and productivity providers: providers of email, online document storage, and collaboration tools used in the day-to-day performance of the service (such as Google Workspace or equivalent);

• Accounting and invoicing software: digital tools used by the Service Provider for issuing invoices, recording payments, and maintaining its financial administration, and, where applicable, an external bookkeeper assisting with tax filing;

• Payment service providers: third-party platforms used to process client payments securely and in compliance with applicable payment regulations. These providers process payment card data as independent controllers for the purpose of executing the transaction;

• Secure online communication and meeting tools: platforms used to conduct video or telephone consultations with Clients, where applicable.

To protect your privacy, the Service Provider concludes a Data Processing Agreement (verwerkersovereenkomst) with these parties in accordance with the GDPR. This ensures that these processors maintain the same level of security and confidentiality as the Service Provider and that they do not use your data for their own purposes. The Service Provider reviews its processors periodically and ensures that appropriate contractual safeguards are in place at all times.

7.3. Independent Third-Party Controllers

Some third parties with whom the Service Provider shares personal data act as independent controllers (verwerkingsverantwoordelijken) in their own right, meaning that they determine the purposes and means of processing independently from the Service Provider. Once personal data have been shared with such a party for a legitimate purpose, that party bears its own responsibility for further processing in accordance with applicable data protection law.

The independent controllers with whom the Service Provider may share personal data include:

• Dutch Tax Authority (Belastingdienst): where the Service Provider is legally obliged to share financial or identification data for the purpose of fulfilling its tax obligations under Dutch tax law;

• Other competent public authorities and supervisory bodies: including the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or any other government body, where the Service Provider is subject to a statutory obligation to provide information or cooperate with an investigation;

• Banks and payment service providers: in the context of executing payment transactions and processing invoices, to the extent that such parties act as independent controllers for their own regulatory and compliance purposes.

8. International Transfers of Personal Data

8.1. Processing Outside the European Economic Area (EEA)

The Service Provider is established in the Netherlands and processes personal data primarily within the European Economic Area (EEA). However, some of the external processors engaged by the Service Provider, including cloud and productivity providers, accounting software providers, and online meeting tools, may store or process personal data on servers located outside the EEA.

8.2. Transfer Mechanisms: Adequacy Decisions and Standard Contractual Clauses

Where personal data are transferred to a country outside the EEA, the Service Provider relies on one or more of the following legally recognised transfer mechanisms under the GDPR/AVG:

• Adequacy decision: the European Commission has determined that the destination country ensures an adequate level of data protection equivalent to that within the EEA. Countries currently holding an adequacy decision include, among others, the United Kingdom, Switzerland, Japan, and the United States under the EU-US Data Privacy Framework. Where a processor is located in or transfers data to a country with a valid adequacy decision, no additional safeguard is required;

• Standard Contractual Clauses (SCCs): where no adequacy decision exists for the destination country, the Service Provider ensures that the transfer is governed by the Standard Contractual Clauses approved by the European Commission under Implementing Decision. These clauses contractually bind both the exporting and importing party to GDPR-equivalent standards of data protection and impose obligations regarding security, confidentiality, data subject rights, and data breach notification;

• Other appropriate safeguards: in exceptional circumstances, the Service Provider may rely on other appropriate safeguards permitted under the GDPR/AVG, such as binding corporate rules or approved certification mechanisms, where applicable and relevant.

8.3. Safeguards Applied

The Service Provider only selects reputable partners who demonstrate a high commitment to security.

The Service Provider maintains an overview of the third-party processors and tools it uses, including those that may involve transfers of personal data outside the EEA, and the applicable transfer mechanism in each case.

This overview is reviewed periodically to reflect changes in the processor landscape or in the legal framework governing international transfers.

If you wish to obtain more information about the specific safeguards applicable to a particular transfer of your personal data you may contact the Service Provider at any time.

9. Data Retention Periods

The Service Provider does not retain your personal data for longer than is necessary for the purposes for which they were collected, or for longer than is required by a statutory retention obligation.

9.1. Statutory Fiscal Retention (7 Years)

In accordance with the statutory retention obligations imposed by the Dutch Tax Authority (Belastingdienst) and the Dutch Civil Code, the Service Provider is required to keep a record of its financial administration.

• Scope of Data: This includes invoices, payment statements, and basic contact details required for bookkeeping.

• Retention Period: These records are retained for a minimum period of seven years following the end of the financial year in which the transaction took place.

• Payment Details: Please note that the Service Provider does not store your payment card details. All digital payments are processed via a third party payment service provider acting as an independent data controller.

9.2. Project and Research Documentation (2 Years)

To provide you with high quality support and to handle any follow up questions you may have after your relocation, the Service Provider retains your project specific information for a limited time.

• Scope of Data: This includes your completed intake forms, customized research reports, inventory lists, and email correspondence related to the performance of the assignment.

• Retention Period: This data is retained for up to two years after the completion of the service or the end of the client relationship. This period is based on the interest of the Service Provider in maintaining a record for potential liability claims or quality assurance, unless a longer period is required due to a specific legal dispute.

9.3. Deletion and Anonymization

• Once the applicable retention period has expired, the Service Provider will delete or permanently anonymise the personal data in question, so that they can no longer be attributed to or linked with an identifiable individual.

• When data is anonymized, all identifiers are removed so that the information can no longer be linked to you as an individual. Anonymized data may be used by the Service Provider for internal statistical purposes to improve the quality of future relocation packages.

10. Cookies and Similar Technologies

10.1. Website

The Service Provider will implement the following measures in accordance with the Dutch Telecommunications Act (Telecommunicatiewet), the Dutch Authority for Consumers and Markets (Autoriteit Consument en Markt, ACM), and the GDPR/AVG:

• a clear and accessible cookie notice informing you of the types of cookies used, their purposes, and their retention periods;

• a consent mechanism that allows you to accept or refuse non-essential cookies prior to their placement, in compliance with the requirement of prior informed consent under the Telecommunicatiewet and GDPR/AVG;

• a cookie preference centre allowing you to manage and adjust your cookie choices at any time, including the ability to withdraw previously given consent with immediate effect;

• a cookie register documenting all cookies placed on the website, their names, providers, purposes, and retention periods.

10.2. Categories of Cookies (Anticipated)

The Service Provider uses the following categories of cookies:

• Strictly necessary cookies: cookies that are essential for the technical operation and security of the website, such as session cookies that maintain your browsing session. These cookies do not require your consent as they are strictly necessary within the meaning of the Dutch Telecommunicatiewet;

• Functional cookies: cookies that remember your preferences and settings to improve your browsing experience, such as language preferences. These cookies require your prior consent where they are not strictly necessary;

• Analytical cookies: cookies that collect anonymised or aggregated data about how visitors use the website, for the purpose of improving its content and functionality. Where such cookies are privacy-friendly and anonymised, they may be placed without consent under the ACM guidelines; where they involve personal data, prior consent will be required;

• Marketing and tracking cookies: cookies placed for commercial or advertising purposes. The Service Provider does not currently intend to place marketing cookies, but will update this section if this changes in the future.

10.3. Your Cookie Choices

You are able to manage your cookie preferences at any time by:

• Adjusting the settings in the cookie preference centre accessible via the cookie banner on the website;

• Configuring your internet browser to refuse the placement of cookies, or to delete existing cookies. Please note that disabling cookies may affect the functionality of the website;

11. Security of Personal Data

The Service Provider takes the protection of your personal data seriously and has implemented appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access, in accordance with the GDPR/AVG and the guidelines of the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

The security measures applied by the Service Provider are proportionate to the nature, scope, and sensitivity of the personal data processed, and to the risks posed to your rights and freedoms as a data subject.

11.1. Technical and Organisational Measures

The Service Provider has implemented the following technical and organisational measures to ensure a level of security appropriate to the risk:

• Secure connections: all digital communications and file transfers involving personal data are conducted over encrypted connections (SSL/TLS), and the Service Provider uses only reputable cloud-based service providers that apply industry-standard security protocols;

• Access control: access to personal data is strictly limited to the Service Provider itself. No third parties have access to client files or personal data unless this is necessary for the performance of the Agreement and an appropriate legal basis and, where required, a data processing agreement is in place;

• Password security and two-factor authentication: the Service Provider uses strong, unique passwords for all accounts and systems used in the processing of personal data and applies two-factor authentication (2FA) wherever the relevant platform supports it;

• Device security: devices used by the Service Provider for business purposes are protected by password or PIN, screen-lock, and up-to-date antivirus or security software. Automatic software updates are enabled to ensure that known security vulnerabilities are patched in a timely manner;

11.2. Confidentiality Obligations

The Service Provider treats all personal data processed in the context of the Agreement with strict confidentiality, in accordance with the General Terms and Conditions. The Service Provider does not disclose personal data to third parties except where this is necessary for the performance of the Agreement, required by law, or otherwise permitted under this Privacy Statement.

Where the Service Provider engages external processors who may have access to personal data, those processors are bound by contractual confidentiality obligations under the data processing agreements concluded in accordance with the GDPR/AVG, as described in this Privacy Statement.

11.3. Data Breach Protocol

In the event of a personal data breach (datalek) within the meaning of the GDPR/AVG, the Service Provider will take the following steps:

• Internal assessment: upon becoming aware of a potential data breach, the Service Provider will immediately assess the nature, scope, and likely consequences of the breach and take all reasonable steps to contain it and limit further damage;

• Notification to the Autoriteit Persoonsgegevens: where the breach is likely to result in a risk to the rights and freedoms of natural persons, the Service Provider will notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with the GDPR/AVG;

• Notification to affected data subjects: where the breach is likely to result in a high risk to the rights and freedoms of the affected individuals, the Service Provider will notify you directly without undue delay, in accordance with the GDPR/AVG. The notification will describe the nature of the breach, the likely consequences, and the measures taken or proposed to address it;

• Documentation: all data breaches, including those that are not reported to the supervisory authority, will be documented internally in a data breach register, in accordance with the GDPR/AVG.

11.4. Limitations and Reporting

Despite the security measures described above, no system or method of electronic transmission or storage can be guaranteed to be completely secure. The Service Provider cannot guarantee absolute security of personal data processed in connection with its services.

If you suspect that your personal data are not adequately secured, or if you have indications of unauthorised access or misuse of your personal data, please contact the Service Provider immediately at hello@atlasclara.com. The Service Provider will investigate the matter without undue delay and take appropriate action.

12. Your Rights Under the GDPR/AVG

Under the GDPR/AVG and the Dutch Implementation Act (Uitvoeringswet Algemene Verordening Gegevensbescherming, UAVG), you have a number of rights with respect to the personal data that the Service Provider processes about you. The Service Provider will handle all requests with due care and within the statutory timeframes.

12.1. Right of Access

You have the right to request access to the personal data the Service Provider has collected from you. This allows you to receive a copy of the personal information held about you and to verify that it is being processed lawfully.

12.2. Right to Rectification

If you believe that the personal data the Service Provider holds about you is inaccurate, out of date, or incomplete, you have the right to request that this information be corrected or supplemented.

12.3. Right to Erasure

You may request that the Service Provider deletes your personal data. Please note that this right is not absolute. The right to erasure does not apply where processing is necessary for compliance with a legal obligation, including the statutory seven-year retention obligation under Dutch tax law, or for the establishment, exercise, or defence of legal claims.

12.4. Right to Restriction of Processing

In specific situations, you have the right to request that the Service Provider temporarily suspends or restricts the processing of your personal data. For example, you can request this if you are contesting the accuracy of the data.

12.5. Right to Data Portability

You have the right to receive the personal data you provided to the Service Provider in a structured, commonly used, and machine readable format. Where technically feasible, you may also request that the Service Provider transfers this data directly to another organization.

12.6. Right to Object

You may object to the processing of your personal data if the Service Provider is relying on a "legitimate interest" as the legal basis for processing. If you object, the Service Provider will stop processing the data unless there are compelling legitimate grounds to continue.

12.7. Procedures for Exercising Your Rights

To exercise any of the rights described in this Section, please submit a written request by email to hello@atlasclara.com. Your request should include:

• your full name and contact details;

• a clear description of the right you wish to exercise;

• sufficient information to allow the Service Provider to verify your identity.

The Service Provider may request additional proof of identity before processing your request, to ensure that personal data are not disclosed to or altered by an unauthorised person.

The Service Provider will respond without undue delay and in any case within thirty (30) calendar days of receipt of a valid request. Where requests are complex or numerous, this period may be extended by a further two (2) months, of which you will be informed within the initial thirty-day period.

13. Automated Decision-Making and Profiling

13.1. No Automated Decision-Making

The Service Provider does not make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or that similarly significantly affect you, within the meaning of Article 22 of the GDPR (AVG). All decisions taken by the Service Provider in the context of the Agreement, including decisions regarding the scope, content, and delivery of the relocation research report, involve meaningful human review and are made personally by the Service Provider.

13.2. Human-Centric Service Model

All relocation research, analysis, and recommendations provided to you, as the Client, are the result of manual professional intervention. No algorithms or automated systems are used by the Service Provider to determine the outcome related to the relocation service.

Where the Service Provider uses digital tools or AI-assisted technologies to support its research process, such as publicly available information retrieval tools, those tools are used solely as a research aid under the direct supervision and professional judgment of the Service Provider. No personal data of the Client are inputted into such tools, and the Service Provider retains full professional responsibility for the content and accuracy of all Deliverables.

13.3. No Profiling for Commercial Purposes

The Service Provider does not use your personal data to create automated profiles for commercial, marketing, advertising, or decision-making purposes. Personal data collected through the intake form and in the course of the assignment are used exclusively to perform the agreed service.

The Service Provider does not draw inferences about your behaviour, lifestyle, preferences, creditworthiness, or personal characteristics beyond what you have directly and voluntarily shared for the specific purpose of your relocation research. No personal data are sold, licensed, or made available to third parties for profiling purposes.

14. Specific Provisions for Business Clients (B2B)

Where the Client is a legal entity, partnership, sole trader acting in a professional capacity, or any other business entity, the provisions of this Section apply in addition to the general provisions of this Privacy Statement. In the event of any conflict between this Section and the general provisions, this Section prevails in respect of business Clients.

14.1. Processing of Contact Person Details

Where the Client is a business entity, the Service Provider necessarily processes the personal data of the natural persons acting as contact persons, authorised representatives, or employees on behalf of that entity. This includes, but is not limited to:

• the full name and professional title of the contact person;

• the work email address and work telephone number of the contact person;

• the name and registration details of the business entity represented;

• any additional professional information provided in the context of the assignment, such as the contact person's role in the relocation process or their authority to act on behalf of the entity.

Contact persons are data subjects within the meaning of the GDPR/AVG and retain all rights set out in this Privacy Statement, regardless of the fact that the contractual relationship exists between the Service Provider and the business entity itself.

The Service Provider processes contact person data exclusively for the purpose of performing the Agreement with the business Client, managing the professional relationship, handling invoicing and administrative matters, and communicating effectively about the progress and delivery of the assignment.

Where a business Client engages the Service Provider on behalf of one or more individual employees who are the subject of the relocation research, those individuals are also data subjects. The business Client is responsible for ensuring that those individuals have been informed of the processing of their personal data by the Service Provider and, where applicable, that the required consent has been obtained.

14.2. Legitimate Interest Balancing

The Service Provider processes the personal data of business contact persons on the basis of its legitimate interests. Before relying on this legal basis, the Service Provider has conducted a balancing assessment, the outcome of which is summarised below.

Legitimate interests identified:

• performing the Agreement concluded with the business Client effectively and professionally;

• maintaining an adequate administrative and communication record of the business relationship;

• managing invoicing, payment, and financial administration in relation to the business engagement;

• responding to complaints, disputes, or legal claims that may arise in the context of the assignment.

Assessment of impact on contact persons:

• the processing is limited to professional contact details and is carried out exclusively in a business context in which such processing is reasonably expected;

• the categories of personal data processed are not sensitive and are provided by the contact person in their professional capacity;

• the processing is proportionate to the legitimate interests pursued and is not used for any purpose unrelated to the performance of the Agreement;

• contact persons are informed of the processing through this Privacy Statement and retain the right to object at any time.

Conclusion: The legitimate interests of the Service Provider in processing business contact person data are not overridden by the interests, rights, or freedoms of the contact persons concerned, given the professional context, the limited scope of the data, and the transparency provided through this Privacy Statement.

14.3. No Consumer Protection Rights

Business Clients and their contact persons do not benefit from the statutory consumer protection rights applicable to individual consumers under Dutch law, including the right of withdrawal under the Dutch Civil Code and the mandatory consumer protection provisions of the Dutch Consumer Authority (Autoriteit Consument en Markt). Business Clients are invited to contact the Service Provider directly to agree on the applicable contractual terms for their specific engagement.

14.4. Marketing Communications to Business Contacts

The Service Provider may send business contact persons service-related communications and professional updates about new relocation packages or changes to the service, on the basis of its legitimate interest in maintaining a professional business relationship. Business contact persons have the unconditional right to object to such communications at any time by contacting hello@atlasclara.com or by using the unsubscribe option included in any such communication.

14.5. B2B Data Responsibility

If you are a Business Client providing personal data of your employees to the Service Provider (for example, to facilitate their relocation), you warrant that you have a valid legal basis to share that data with the Service Provider and that you have informed the data subjects (your employees) about this transfer in accordance with your own privacy obligations.

15. Third-Party Websites and Links

15.1. Disclaimer for External Websites

The website of the Service Provider a may contain hyperlinks to third-party websites, platforms, tools, or services that are not operated, owned, or controlled by the Service Provider. These links are provided for informational and practical convenience only and do not constitute an endorsement, recommendation, sponsorship, or approval of the content, products, services, privacy practices, or data processing activities of the linked third-party websites.

Please be aware of the following:

• No Control: The Service Provider has no control over the content, privacy policies, or practices of these external websites.

• Independent Responsibility: Once you click on a link and leave the digital environment of the Service Provider, this Privacy Statement no longer applies. These third parties may place their own cookies or collect data in ways that differ from the Service Provider’s standards.

• Recommendation: The Service Provider strongly encourages you to read the privacy statements of any third-party website you visit to understand how they handle your personal information.

15.2. Third-Party Tools Used in the Delivery of Services

Where the Service Provider uses third-party digital tools or platforms in the delivery of its relocation research support services, such as cloud storage, email providers, or online meeting tools, those tools are described in this Privacy Statement (External Processors). The use of such tools is governed by the data processing agreements concluded between the Service Provider and the relevant processors, in accordance with the GDPR/AVG.

The Service Provider is not responsible for the independent data processing activities of any third-party tool or platform beyond what is governed by the applicable data processing agreement.

15.3. Links in Research Deliverables

When the Service Provider includes links in your customized relocation report, these are provided for your convenience and information only. The inclusion of a link does not imply an endorsement of the third party’s data processing practices. The Service Provider is not liable for any damages or privacy issues resulting from your use of these external links.

15.4. Reporting Concerns About Third-Party Links

If you encounter a third-party link on the website of the Service Provider that you believe is inappropriate, harmful, or in conflict with the values and professional standards of the Service Provider, you are encouraged to notify the Service Provider at hello@atlasclara.com. The Service Provider will review the link and take appropriate action where necessary.

15.5. How to Contact the Service Provider About Privacy

If you have any questions, comments, or requests regarding this Privacy Statement or the processing of your personal data by the Service Provider, you may contact the Service Provider at any time using the details below:

Attention: Privacy - Atlas Clara

Email: hello@atlasclara.com

The Service Provider processes all privacy-related requests exclusively in writing, by email, in order to ensure adequate identification of the requester and to maintain a proper administrative record of all requests received and actions taken.

15.6. Filing a Complaint with the Service Provider

If you have a concern or complaint about the manner in which the Service Provider handles your personal data, the Service Provider encourages you to contact it directly in the first instance at hello@atlasclara.com before taking any further steps. This allows the Service Provider the opportunity to investigate the matter and resolve your concern promptly and amicably.

When submitting a privacy complaint to the Service Provider, please include the following information in your written request:

• your full name and contact details;

• a clear and specific description of the concern or complaint;

• the personal data or processing activity to which your complaint relates;

• any relevant correspondence or reference numbers, where applicable;

• sufficient information to allow the Service Provider to verify your identity, in order to ensure that personal data are not disclosed to or altered by an unauthorised person.

Where your complaint relates to the withdrawal of consent, please note that you may withdraw consent at any time by sending an email to hello@atlasclara.com or by using the unsubscribe option included in any commercial communication sent by the Service Provider. Withdrawal of consent does not affect the lawfulness of any processing carried out on the basis of consent prior to its withdrawal.

The Service Provider will respond to your request without undue delay and in any case within thirty calendar days. If a request is particularly complex, this period may be extended by an additional two months, of which you will be informed within the initial thirty day period. There is generally no charge for these requests, unless they are manifestly unfounded or excessive.

15.7. How to File a Complaint with the Autoriteit Persoonsgegevens

If you are not satisfied with the response received from the Service Provider, or if you believe that the Service Provider is processing your personal data in violation of the GDPR/AVG, you have the right to lodge a formal complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), which is the competent supervisory authority in the Netherlands.

Contact details for the Authority:

• Address: Autoriteit Persoonsgegevens, Postbus 93374, 2509 AJ Den Haag

• Telephone: +31 (0)88 1805 250

• Website: www.autoriteitpersoonsgegevens.nl

You may submit a complaint to the Autoriteit Persoonsgegevens online via the complaint form available on their website. The Autoriteit Persoonsgegevens will handle your complaint in accordance with its own procedures and statutory powers under the GDPR/AVG and the UAVG.

While you have the right to contact the Authority at any time, the Service Provider appreciates the opportunity to resolve any concerns with you directly and amicably in the first instance.

If you reside in another European Union member state, you also have the right to lodge a complaint with the supervisory authority of your country of residence or place of work. A full list of European data protection supervisory authorities is available on the website of the European Data Protection Board at www.edpb.europa.eu. The Service Provider encourages you to contact us directly in the first instance so that we may attempt to resolve your concern promptly and amicably.

16. Amendments to This Privacy Statement

16.1. Right to Amend

The Service Provider reserves the right to amend or update this Privacy Statement at any time, where this is necessary or appropriate to reflect:

• changes in applicable data protection law, including amendments to the GDPR/AVG, the UAVG, or related Dutch legislation;

• updated guidelines or decisions issued by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or the European Data Protection Board;

• changes in the services offered by the Service Provider, including new relocation packages or additional service categories;

• changes in the processing activities carried out by the Service Provider, including the engagement of new processors or the introduction of new tools;

• administrative updates such as changes to contact details, business address, or registration numbers.

16.2. How Changes Are Communicated

The Service Provider distinguishes between material amendments and minor administrative changes, and applies a different communication procedure for each:

• Material amendments: where a change significantly affects the manner in which personal data are processed, the rights of data subjects, or the legal bases relied upon, the Service Provider will notify existing Clients by email to the address associated with their client file, with a minimum notice period of thirty (30) calendar days before the amended version takes effect. This allows you sufficient time to review the changes and, where applicable, exercise your rights under Section 15 of this Privacy Statement;

• Minor and administrative changes: changes of a purely administrative nature, such as the correction of typographical errors, updated contact details, updated KVK or VAT numbers, or clarifications that do not substantively alter the Privacy Statement, may take effect immediately without prior individual notification.

In all cases, the updated version of this Privacy Statement will be made available on the website of the Service Provider and will indicate the date on which the most recent update was made.

16.3. Version Control

The Service Provider maintains an internal archive of previous versions of this statement. Each version of this Privacy Statement carries a version number and a date of last update, indicated at the top of the document. The version published on the website of the Service Provider at the time of the relevant processing activity is the version that applies to that activity.

Previous versions of this Privacy Statement are retained in the internal administrative records of the Service Provider and are available on request. If you wish to receive a copy of a previous version, please contact the Service Provider.

16.4. Continued Use as Acceptance

By continuing to use the services of the Service Provider or the website after an amended version of this Privacy Statement has taken effect, you acknowledge having read the updated version. If you do not agree with the changes introduced by a material amendment, you have the right to terminate the Agreement with the Service Provider in accordance with the procedures set out in the General Terms and Conditions, with effect from the date on which the amendment takes effect.

_____________________________

This Privacy Statement was drafted in accordance with the General Data Protection Regulation (GDPR/AVG), the Dutch Implementation Act on the GDPR (Uitvoeringswet Algemene Verordening Gegevensbescherming, UAVG), and the guidelines of the Autoriteit Persoonsgegevens. It applies to all relocation research support services offered by Atlas Clara.

Privacy Statement – Atlas Clara Relocation Research Support Services

Version 1.0 | English | May 2026

This Privacy Statement was last updated on: 14 May 2026