1. Data Controller JG PERFORMANCE SYNDICATE LTD 19H Maxgrand Plaza, No. 3 Tai Yau St, San Po Kong Hong Kong Email: contact@performance-syndicate.com Phone: +852 5 944 7390 This website is intended for users worldwide, including the European Union. Although our company is based outside the EU, we comply with the requirements of the EU General Data Protection Regulation (GDPR) pursuant to Art. 3 (2) GDPR.

2. Data Protection Officer Currently, no external Data Protection Officer has been appointed. Responsibility for compliance with data protection requirements lies with the company itself.

3. Scope of Data Processing We process personal data only to the extent necessary for providing our content, services, and features. We adhere to principles of data minimization, purpose limitation, and confidentiality.

4. Categories of Data Processed We may process the following categories of personal data: Master data (name, address, date of birth) Contact details (email, phone number) Payment details (credit cards, bank accounts, payment status) Communication data (e.g. IP address, browser type, device information) Content data (texts, photos, uploads via forms) Usage data (page views, time spent, click behavior) Meta/connection data (device information, log files)

5. Legal Bases Depending on the purpose, processing is based on the following legal grounds: Art. 6 (1) lit. a – Consent Art. 6 (1) lit. b – Contract performance or pre-contractual measures Art. 6 (1) lit. c – Legal obligation Art. 6 (1) lit. f – Legitimate interest

6. Recipients and Processors Data may be processed by external service providers (processors), such as: Web hosting providers (e.g. AWS, IONOS) IT service providers Payment providers (Stripe, PayPal) Newsletter services (Mailchimp) Analytics and advertising providers (Google, Meta) All processors are bound by Data Processing Agreements (DPAs) in accordance with Art. 28 GDPR.

7. Data Transfers to Third Countries Since many of our service providers are located in third countries (e.g. USA), data transfers only occur if: An EU adequacy decision exists, or We have concluded Standard Contractual Clauses (SCCs), or You have expressly consented (Art. 49 (1) lit. a GDPR).

8. IT Security We implement technical and organizational measures in accordance with Art. 32 GDPR to protect your data against loss, manipulation, and unauthorized access. These include: SSL encryption Firewall/DDoS protection Access controls Data backups Regular updates Secure password policies Access restrictions for service providers

9. Cookies and Consent Management Our website uses a cookie consent tool to manage your preferences. The legal basis for non-essential cookies is your consent (Art. 6 (1) lit. a GDPR). You may withdraw or adjust your consent at any time.

10. Analytics and Marketing Tools We use, among others, the following services: Google Analytics User behavior analysis, IP anonymization, processing in the USA, SCCs in place. Opt-out link: Disable Google Analytics Facebook/Meta Pixel Advertising effectiveness measurement, remarketing, SCCs in place. Mailchimp Newsletter Double opt-in procedure, unsubscribe at any time. Data transfer to the USA based on SCCs.

11. Payment Processing Payments are handled via third-party providers: Stripe (Stripe Inc., USA) PayPal (PayPal Inc., USA) The providers’ own privacy policies apply. Data transfers are based on SCCs.

12. Applications If you apply with us, we process your application documents solely for recruitment purposes. Data will be deleted no later than 6 months after the procedure ends unless legal retention obligations apply.

13. No Automated Decision-Making We do not use automated decision-making or profiling within the meaning of Art. 22 GDPR.

14. Protection of Minors Our website is not directed at individuals under 16 years of age. We do not knowingly process children’s data. Parents/guardians may contact us if they suspect personal data of a child has been processed.

15. Data Retention We store personal data only as long as necessary to fulfill the stated purposes or as required by law (e.g. tax retention obligations of up to 10 years).

16. Your Rights You have the right to: Access (Art. 15 GDPR) Rectification (Art. 16 GDPR) Erasure ("right to be forgotten", Art. 17 GDPR) Restriction of processing (Art. 18 GDPR) Data portability (Art. 20 GDPR) Objection to processing (Art. 21 GDPR) Withdrawal of consent (Art. 7 (3) GDPR) To exercise your rights, please contact us: Email: contact@performance-syndicate.com

17. Server Log Files Every access to our website automatically generates log files by our hosting provider, including: Browser type and version Operating system used Referrer URL Hostname of accessing computer Time of server request IP address These logs serve security and system stability (e.g. attack detection) and are stored based on Art. 6 (1) lit. f GDPR (legitimate interest).

18. Social Media Accounts We maintain online presences on social networks (e.g. Instagram, Facebook, TikTok). When you visit our profiles, the privacy policies of the respective operators apply. Data processing may be carried out by the platforms themselves and, in some cases, jointly with us (Art. 26 GDPR). Operators & privacy policies: Facebook & Instagram (Meta Platforms Ireland Ltd.) Privacy Policy: https://www.facebook.com/about/privacy/ TikTok (TikTok Technology Limited, Ireland) Privacy Policy: https://www.tiktok.com/legal/privacy-policy Your interactions (e.g. comments, likes, messages) may be processed by us when you engage with us.

19. External Links Our website may contain links to external sites. We are not responsible for their content or privacy practices. Please review their privacy policies independently.

20. Hosting & Content Delivery Networks (CDN) Our website may use CDNs (e.g. Cloudflare, Amazon CloudFront) to improve performance and stability. This may involve transmission of your IP address to the CDN provider. The use is based on our legitimate interest in secure and efficient delivery (Art. 6 (1) lit. f GDPR).

21. Third-Party Content (e.g. YouTube, Google Maps) We may integrate third-party content (e.g. videos, maps). This requires third parties to process your IP address and may involve cookies or tracking. The legal basis is your consent (Art. 6 (1) lit. a GDPR). Examples: YouTube (Google Ireland Limited) – video content Google Maps – map display reCAPTCHA – spam protection

22. Right to Lodge a Complaint You have the right to lodge a complaint with a supervisory authority. A list can be found here: https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html

23. Changes to this Privacy Policy We reserve the right to amend this Privacy Policy at any time. The current version will always be available on our website.