General about this policy

At Planeten Panter AB, organization number 559391-0499, ("Panter", "we", "us", "our") we care about personal integrity. This means that we respect and safeguard your privacy and the right to control and transparency when processing your Personal Data.

This Privacy Policy (the "Policy") is applicable to the processing operations for which Panter is the Data Controller. The Policy describes in general terms the purposes for which we need your Personal Data, the legal basis on which we rely and the measures we take to protect Personal Data. We also provide information on how to exercise the rights you have in relation to our processing of your Personal Data.

The policy informs you about our handling of Personal Data when you communicate with us, use the Service or visit our website www.panter.se (together "Features").

This policy is addressed to:

• Users of the Service

• Potential customers

• Customers

• Employees of potential customers

• Employees of existing customers

• Visitors to our website

Definitions

"Processing" of Personal Data is anything that can be done with Personal Data, such as storing, modifying, reading, transmitting, etc.

"Applicable law" is the legislation applicable to the processing of Personal Data including the General Data Protection Regulation (GDPR), complementary national legislation, as well as practices, guidance and recommendations issued by a national or European supervisory authority.

"Personal Data" is any information that can be linked to an identifiable living person.

"Data Controller" is the company/organization that decides for which purposes and in which way the Personal Data will be processed and thus also responsible for the processing of Personal Data in accordance with Applicable Law.

"Processor" is the company/organization that processes Personal Data on behalf of the Controller and may therefore only process Personal Data in accordance with the Controller's instructions and Applicable Law.

"Data Subject" means the living, natural person whose Personal Data is processed.

"The Service" is reusable food boxes, coffee cups and glasses etc. for use in connection with takeaway from a restaurant, café or similar. Our reusable packaging is provided with a QR code and is part of a rotation system that requires return within a certain specified time. The service is free of charge as long as the packaging is returned within a specified time. To use the Service, you must have access to a mobile phone and the internet and register a user account. The Service includes use of the website www.panter.se and our web application app.panter.se.

Panter's responsibility for personal data

The information in this Policy covers the Processing of Personal Data for which Panter is a Data Controller, i.e. the Processing for which we determine the purposes (why processing is done) and means (in what way, which Personal Data, for how long, etc.). The policy does not describe how we process personal data in our role as Data Processor - i.e. when we process personal data on behalf of our customers.

Panter provides reusable lunch boxes, coffee mugs and glasses etc. for use in connection with takeaway from restaurants, cafés or similar. Our reusable packaging has a QR code and is part of a rotation system. To ensure rotation of the packaging, users need to register a user account.

Panter's processing of personal data

We have a responsibility to describe and demonstrate how we meet the requirements placed on us when processing your Personal Data. This section aims to give you an understanding of the types of personal data we process about you and for what purposes.

How long do we keep your Personal Data?

We keep your Personal Data for as long as necessary for the purpose for which it was collected. Depending on the legal basis on which we support the processing, this may (a) result from a contract, (b) depend on valid consent, (c) be required by law or (d) result from an internal assessment based on a balance of interests.

We never keep your Personal Data for longer than necessary and delete Personal Data regularly. Panter also takes reasonable steps to keep the Personal Data processed up-to-date and to delete outdated and otherwise inaccurate or redundant Personal Data.

Processing operations

The main purpose of the personal data processing we carry out is to provide, perform and improve our services to you. There are several different reasons why we may need to collect, manage and store your data.

We mainly process the following personal data:

• Contact and identification data to confirm your identity, verify your data and communicate with you.

• Information about your use of the service or product to improve your customer experience.

• Payment information to be able to offer, for example, direct debit and other payment methods.

How do we access your personal data?

We collect your personal data in a number of different ways. First and foremost, we gain access to your personal data:

• By you providing us with your personal data.

Legal grounds

In order for us to process your personal data, we need to have a legal basis for the respective processing. In our business, we process your personal data mainly on the following grounds:

Balancing of interests - Panter may process personal data if we have assessed that there is a legitimate interest that outweighs the Data Subject's protection of personal integrity and if the Processing is necessary for the purpose in question, e.g. for direct marketing.

If you want further information about the legal basis(s) for which we process your personal data, you always have the right to request a so-called register extract. Read more under "How to use your rights" below.

Your rights

You are the controller of your personal data. We always strive to ensure that you can exercise your rights as effectively and smoothly as possible.

Access - You always have the right to receive information about the Personal Data processing that concerns you in a so-called register extract. The register extract shows, among other things, which of your personal data we have stored and for what purposes and on what legal basis. We only disclose information if we have been able to ensure that it is actually you who are asking for the information.

Rectification - If you discover that the Personal Data we process about you is incorrect, contact us and we will fix it!

Erasure - Do you want us to forget you completely? You have the right to request erasure of your Personal Data when it is no longer necessary for the purpose for which it was collected. If we are required to retain your data by law or a contract we have entered into with you, we will ensure that it is only processed for the specific purpose stated in the law or contract. Thereafter, we will ensure that the data is deleted as soon as possible.

Objection - Do you disagree that our interest in processing your Personal Data outweighs your privacy interest? No problem - in that case, we will review our balance of interests and check that it still holds. We will of course take your objection into account when we make a new assessment to evaluate whether we can still justify our Processing of your Personal Data. If you object to direct marketing, we will delete your Personal Data immediately without reviewing our assessment.

Restriction - You can also ask us to restrict our Processing of your data:

While we are dealing with a request from you for any of your other rights.

If, instead of requesting erasure, you want us to indicate that the data should not be processed for a specific purpose. For example, if you do not want us to send you advertising in the future, we still need to keep your name to know that we should not contact you.

In cases where we no longer need the data for the purpose for which it was collected, provided that you do not have an interest in us keeping the data in order to pursue a legal claim.

Data portability - We can give you the data that you have provided to us or that we have received from you in the context of entering into a contract with you. You will receive your data in a commonly used and machine-readable format which you can then take with you to another Data Controller.

Withdrawing consent - If you have consented to one or more specific processing(s) of your Personal Data, you have the right to withdraw your consent at any time and thereby ask us to cease the Processing immediately. Please note that you can only withdraw your consent for future Processing(s) of Personal Data and not for any Processing that has already taken place.

How to use your rights

Contact us at hello@panter.se and we will help you.

Transfer of Personal Data

In order to conduct our business, we may need the help of others who process Personal Data on our behalf, so-called Data Processors.

In cases where our Processors transfer Personal Data to a country outside the EU/EEA, we have ensured that the Processing is lawful under Applicable Law by fulfilling one of the following requirements:

• There is a decision from the European Commission that the country ensures an adequate level of protection;

• The application of the European Commission's standard contractual clauses for third country transfers; or

• Other appropriate safeguards that comply with Applicable Law.

We have entered into Personal Data Processing Agreements (PDPAs) with all our Data Processors. The PUB agreement regulates how the Processor may process the Personal Data and what security measures are required for the personal data processing.

We may also need to provide your Personal Data to certain designated authorities in order to fulfill obligations under law or government decisions.

Our personal data processors

Panter does not sell your personal data to anyone and of course we do not share your personal data with anyone. However, in some cases we may share your Personal Data with selected third parties. If this happens, we make sure that the transfer is done in a secure way that preserves your privacy. Below are categories of recipients with whom we may share your data.

IT suppliers for e.g. business systems and case management. To carry out our assignments and services, we store your data in our business systems (a system that administers our customers and contacts).

Security and safety

Panter has taken technical and organizational measures to ensure that your personal data is processed in a secure manner and that it is protected from loss, misuse and unauthorized or unauthorized access.

Our security measures

Organizational security measures are measures that are implemented in practices and procedures within the organization. Our organizational security measures are:

Login and password management

Technical security measures are measures implemented through technical solutions. Our technical security measures are:

• Access list

• Access log

Cookies

Panter uses cookies and similar tracking technologies to, among other things, analyze how Features are used so that we can provide you with the very best user experience.

If we do not keep our promises

If you feel that we are processing your Personal Data incorrectly, even after you have brought this to our attention, you always have the right to submit your complaint to the Swedish Data Protection Authority.

More information about our obligations and your rights can be found on the website of the Swedish Data Protection Authority (https://www.imy.se/). You can also contact the Authority at imy@imy.se.

Changes to this policy

We reserve the right to make changes to this Policy. Where the change affects our obligations or your rights, we will inform you of the changes in advance so that you have the opportunity to consider the updated policy.

Contact us

Please contact us if you have questions about your rights or if you have any other questions about how we process your personal data: hello@panter.se