PRIVACY POLICY

Leasys Group has implemented a policy for the management of personal data in order to ensure that it is processed in accordance with applicable regulations:

• European Regulation No. 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter, the «General Data Protection Regulation» or «GDPR»).
• Organic Law 3/2018 of 5 December on the Protection of Personal Data and guarantee of digital rights (LOPDGDD), as well as any other national regulations applicable in the field of personal data protection. This privacy notice describes our rules for protecting information about your prospective customers, customers, your customers' employees, partners, your partners' employees, students or independent candidates, suppliers and visitors to your website.

PROTECTION AND MANAGEMENT OF PERSONAL DATA

1. RESPONSIBILITY FOR PROCESSING

• LEASYS SpA Branch in Spain with Tax ID number W0056629I (hereinafter "Leasys") is responsible for the processing of personal data communicated in the context of:
  • A request for information,
  • A quote,
  • An order,
  • The day-to-day management of your contracts and services,
  • An internship request or job offer.
• LEASYS SpA Branch in Spain with Tax ID number W0056629I accepts no responsibility for the disclosure of information to third parties and outside the strict framework of the use of its web spaces or those of its partners. It is therefore your responsibility to take all necessary precautions to avoid any errors or elements of a destructive nature, such as viruses.

2. ADEQUATE, RELEVANT AND LIMITED DATA COLLECTION

• In order to establish and maintain our relationship, we will collect your data directly from you, depending on our type of relationship:
  • Identification: name, surname, nationality, signature (or signature delegation), intra-community VAT number, ...
  • Contact: postal address, email address, telephone, ...
  • Personal: marital status, number of children, household composition, etc.
  • Professional: training, studies, employer, occupation, etc.
  • Economic and financial: bank details, IBAN, creditworthiness, tax identification, tax status, country of residence, etc.
  • From browsing our websites or applications: cookies, IP address, login and browsing data, etc.
  • Your habits and preferences when using our products and services or your contacts with us.
  • To verify that you are fit to drive, we may ask you for your driving licence.
• Where permitted by local legislation, we may use a provider experienced in facial recognition technologies to identify you in certain cases, such as electronic signatures. As this involves sensitive data, this provider will ask for your consent if you choose this type of authentication. Their data protection charter will be available on their website (https://www.signaturit.com/privacy-policy/).
• We may also collect data about other people indirectly because they are related to you (some will be informed by us, others you will need to inform yourself):
  • Marketing voucher;
  • Guarantor or surety;
  • Heirs and beneficiaries in the event of death;
  • For legal entities: legal representatives and authorised persons, beneficial owners and shareholders;
  • Employees or drivers (not subscribers to the lease agreement).
• We may also collect some of the data from the vehicle we rent to you for our use or for your use or that of judicial and/or administrative authorities: mileage, accident report, geolocation (deactivated), maintenance...

3. PROCESSING AND PURPOSES

Our processing activities are lawful, fair and transparent. The associated purposes are defined, explicit and legitimate. The list below is not exhaustive and may change in response to changes in legislation or our line of business.

• • On the basis of the formation of the contract (prospective customer) or during the performance of the contractual relationship (customer):When studying your long-term rental (LTR) request/renewal, automated processes may be implemented through our banking intermediary or any other intermediary used for this purpose (scoring or pre-scoring). This is a decision-making aid: human intervention is provided for the decision-making process. Depending on the provider, some AI tools may be used with your formal consent, as is the case with Microsoft Copilot and Stellantis GenAI Playground.
  • You have the right to obtain an explanation of the decision and to challenge it by requesting a reassessment.
  • Certain specialist entities may analyse your financial solvency, credit risk and verify the ownership and validity of the bank account, in order to assess the viability of the requested transaction and prevent possible fraud.
  • You may subscribe to additional services or to certain services independently (without an LTR contract).
  • All operations related to the management of our relationship, from the pre-contractual phase to the return of the vehicle.
  • The management of amicable and contentious recovery and, in general, any necessary judicial or extrajudicial action related to the performance of our contract.
• On the basis of legal and regulatory obligations:
• We use some of your data to comply with certain legal obligations in our own right or in relation to third parties:
  • Prevention and control of money laundering and terrorist financing. We must comply with international sanctions and embargo rules. This requires us to identify you and verify your identity when you submit an application and throughout our relationship.
  • Leasys and/or our financial intermediaries consult regulatory files when examining your long-term lease application.
  • In accordance with our legal obligations, we are also required to notify the relevant organisation in the event of a payment incident that must be recorded (for example, the National Credit Repayment Incident Register).
  • In some cases, we may be asked to provide information in response to an official request from a judicial, criminal, tax or administrative authority.
• • On the basis of our legitimate interest (balanced against the protection of your interests and rights):We use some of your personal data to manage our customer relationship:
    1. Improving the quality of our products or services.
    2. Conducting satisfaction or opinion surveys (customers, prospective customers, etc.) internally or externally (Trustpilot: https://fr.legal.trustpilot.com/for-reviewers/end-user-privacy-terms).
    3. Improving the training of our advisors (by listening to your telephone calls or recording your telephone conversations), tracking your current or specific requests and improving our processes.
    4. Reports, studies, statistics and audits to monitor our activities and our obligations to our shareholders.
  • We also use your data to improve:
    1. The management, prevention and detection of internal fraud.
    2. Risk management and regulatory compliance.
  • We may share certain information with trusted third parties (banks and financial institutions) when assigning or securitising receivables (securitisation is the conversion of illiquid assets, such as receivables, into easily tradeable securities).
• • On the basis of your consent (or that of your employees/drivers), which may be withdrawn at any time:We may carry out electronic commercial prospecting (email and SMS).
  • We may send you offers for products or services from our company, our shareholders, Crédit Agricole Personal Finance & Mobility and Stellantis NV or some of our partners.
  • We may also offer you the opportunity to participate in competitions or promotional offers.
• • On the basis of our legitimate interest and your consent:Call centre management (provision of a telephone service to your customers to support the management and performance of the contract);
  • Websites and cookies (certain information is collected through cookies that allow you to enjoy a more complete experience and improve your browsing, combat fraud and analyse the performance of our website and services);
  • Profiling (profile configuration, to allow us to better understand your profile and interests, in particular to personalise your experience in the use of our website and services, as well as to tailor marketing and remarketing activities to your needs and interests).
• On the basis of your vital interest:
• We may use your private information to contact you if there are urgent safety notices or product reminders to communicate to you, or when we reasonably believe that the processing of your private information will prevent or reduce any potential harm to you. It is in your vital interest that we use your private information in this way.

4. RETENTION PERIOD

• We do not retain your personal data for longer than necessary for the purposes for which it was obtained, unless we are legally required to retain it for longer or are entitled to do so if necessary.
• Information provided on the website https://www.leasys.com/es/espanol, depending on the customer/candidate process, is retained for a period of three (3) to six (6) months.
• Information provided on the website https://areaclienti.leasys.com/MyLeasys/app/#/auth/login is retained for a period of three (3) months to five (5) years, depending on the data.
• Data collected during a quote request that is not followed by the signing of a contract is retained for six (6) months.
• Personal data of a prospective customer (corporate customer) that may be used for commercial prospecting is retained for three (3) years.
• Data collected in the context of a signed lease agreement is retained for ten (10) years from the end of the contract, in compliance with Law 10/2010 of 28 April on the prevention of money laundering and terrorist financing, as well as to meet any legal obligations of a tax and accounting nature. This retention is aimed at fulfilling the legal obligations of money laundering prevention, and the period may be extended until all avenues of appeal are exhausted in the event of litigation.

5. THIRD PARTIES INVOLVED IN PROCESSING

In some cases, Leasys communicates your personal data to third parties who are independent or affiliated «data controllers». Only data strictly necessary for the fulfilment of the tasks of such third parties will be transmitted. Leasys may share data with:

• other divisions of Leasys S.p.A. and its shareholders, Crédit Agricole Personal Finance & Mobility and its shareholders, Stellantis NV and its shareholders, for the performance of a contract with you or for justified commercial interests (consent, contract and legitimate interest);
• dealers or intermediaries in its brand/distribution network or our broker (consent, contract and legitimate interest);
• if we suspect a violation of third-party rights, punishable acts or abuse, we may provide personal data to third parties with a legitimate interest in this, to supervisory authorities or to administrative or judicial authorities (legal obligation, protection of your vital interests and those of another natural person);
• parties that provide assistance to Leasys in the course of their service and who are not subcontractors. For example, accountants and legal advisors, banks, insurance companies and car manufacturers (legal obligation, legitimate interest);
• our data processors: external parties to whom we delegate certain processing activities. For example, security system providers, accounting and other consultants, data hosting providers, banking, insurance, etc. We have signed agreements with each of our data processors to ensure that your data is processed with appropriate safeguards and only in accordance with our instructions (contract, legitimate interest);
• parties that assist Leasys in the deployment of marketing activities: monitoring of our service quality or partnerships or for commercial purposes (your prior consent will have been required, legitimate interest);
• system administrators: our employees or those of the data processors to whom we have delegated the management of our IT systems and who may therefore access, modify, suspend or limit the processing of your data. These parties have been selected, adequately trained and their activities are monitored by systems that they cannot modify, as established by the provisions of our competent supervisory authority (contract, legitimate interest);
• service providers (for example, hosting providers, software providers, external customer service or parties that organise or carry out actions and investigations for Leasys). Leasys is required to enter into a contract.

6. TRANSFER OF DATA OUTSIDE THE EUROPEAN ECONOMIC AREA

• Your data will not be transferred to a third country or to an international organisation, except in exceptional and strictly necessary cases.
• If necessary, for technical or operational reasons, the same data could be processed in countries outside the European Union, provided there is a European Commission adequacy decision (a list updated periodically by supervisory authorities and available on their websites).
• In the absence of this, any transfer of personal data to third countries will only be possible if the relevant controllers and officials provide appropriate contractual or legal safeguards, including the standard contractual clauses adopted by the European Commission ((EU) 2021/914).

7. LINKS TO THIRD-PARTY WEBSITES

Third-party websites, which can be accessed via hyperlinks or references, are the responsibility of those third parties. Leasys accepts no responsibility for the request or supply of personal data to third-party websites.

We recommend that you consult the privacy statement of the relevant third party for information on how they manage personal data.

8. MARKETING, PROFILING AND COOKIES

• Leasys uses cookies (small text files that are stored on your computer and retained for up to thirteen (13) months). Our cookie policy is available in the footer of the website.
• The purpose of minimum (technically necessary) data is to allow the correct functioning of the site and to detect fraudulent or repeated connection attempts in order to protect the connection system against misuse.
• Our website uses Google Analytics 4, a web analytics service offered by Google Inc. («Google»). Google Analytics 4 uses cookies to help analyse the use of the website. The information generated by a cookie about the use of the website is transferred to Google and recorded by Google (https://support.google.com/analytics/answer/12017362).
• With your consent, we use this information to:
  1. Maintain the way you use the website;
  2. Compile reports on website activity for Leasys;
  3. Provide other services related to website activity and internet use.
• You may refuse the use of cookies on your first login (or on each private login) or change your consent in the «Manage my settings» tab available in our cookie policy.

9. INTERACTION WITH SOCIAL NETWORKS

1. 1. Customer service via social networks:You may also contact us via our social networks. For example, if you send or post a message on our social media pages, we may use the information contained in your message or post to contact you regarding the question or request made. In order to provide you with the requested assistance, we may ask you to provide us, via direct or private message, with additional information such as details of the problem, your name, email address, telephone number, location (city/country), registration number, identification number (VIN) and/or the make, model and year of the vehicle. The information you provide to us will not be used for direct marketing purposes; market research to improve services and products will only be carried out on the basis of aggregated (anonymous) data.
   2. Please note that you should not transmit sensitive data (such as information about racial or ethnic origin, political opinions, religious or philosophical beliefs, or health) in your message. When you post a message in the public space of a social network, everyone can read it.

• Links to social networks:
• Our website includes links to social networks.
  1. In order to protect your personal data when you visit our website, we do not use social plugins. Instead, HTML links are integrated into the website, allowing easy sharing on social networks. The integration of such a link avoids a direct connection with the various social network servers when opening a page of our website. Clicking on one of the buttons opens a window in the browser and directs the user to the website of the relevant social network, where (after logging in) they can, for example, use the «Like» or «Share» button.
  2. For more information on the purpose and scope of data processing and on the further use of your personal data by social networks and their websites, as well as on your rights and the possible settings to protect your privacy, please consult the data protection information sheets of each social network.
  4. Facebook: http://www.facebook.com/policy.php
  5. Twitter: https://twitter.com/privacy
  6. Instagram: https://help.instagram.com/155833707900388
  7. YouTube: https://www.google.de/intl/de/policies/privacy/
  8. LinkedIn: https://www.linkedin.com/legal/privacy-policy

10. EXERCISING YOUR RIGHTS

In accordance with current regulations, you may exercise certain rights with respect to our services, within the limits permitted by the regulations:

* Where applicable under local regulations, anti-money laundering and counter-terrorist financing regulations prohibit us from giving you direct access to your personal data processed for this purpose. In this case, you must exercise your right of access with the local authority, which will request it from us.

• To exercise any of the rights mentioned above, you may send your request at any time, without justification or cost, to the following email address: dpo.spain@leasys.com. You will be asked to confirm your identity by providing certain information or a copy of official documents.
• You also have the right to lodge a complaint with the Spanish Data Protection Agency or to avail yourself of the remedies provided for by applicable legislation.

11. PROTECTION

We have taken appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing, as well as against loss, destruction, degradation, modification or disclosure.

Our information systems security policy can be provided upon request.

12. AMENDMENT OF THIS PRIVACY STATEMENT

• We reserve the right to unilaterally modify or supplement this Privacy Statement. We recommend that you consult our privacy statement regularly.
• This Privacy Statement was last updated in September 2025.

13. CONTACT LEASYS

If you have any questions or comments about this Privacy Statement or about the processing of personal data, you may contact us by post:

Leasys SpA Branch in Spain

For the attention of the Data Protection Officer

Calle Eduardo Barreiros 110, 28041, Madrid

or by email: dpo.spain@leasys.com