We care about your privacy, and it is important to us that you feel secure
about how we process your personal data.

We undertake to respect and protect your personal data and your privacy in compliance
with existing data protection legislation, industry rules and other relevant standards. To give you a
better understanding of how we process data about you, we outline our basic principles for
processing personal data below. These principles represent the information you are entitled to
receive when we collect your personal data.

We are entitled to update this information text (privacy policy) at any time. If the privacy policy is
subject to major changes, we may notify you by email.

Where the information text refers to the word ‘Hövding’, this does not mean the company. It
means our product, the helmet, the Hövding.

Controller

Hövding Sverige AB (publ) (‘We’, ‘Us’, ‘Our’), corporate identity no. 556708-0303, Bergsgatan 33,
214 22 Malmö, Sweden, is the controller for the processing of your personal data when you make a
purchase or submit a notice of nonconformity or contact us in any other context.

How and why does Hövding process personal data and which personal data does it
process?

Purchase via hovding.se
On our website, we offer you the opportunity to buy Hövdings, supplementary products and services.
When you make a purchase, you provide your name, your contact details, your payment details (such
as a credit card number) and your delivery address. The legal basis for processing personal data in
connection with purchases is either to perform a contract of sale or a legitimate interest. Contractual
performance applies when you, as a consumer, purchase a product, and legitimate interest applies
where you represent a legal person.

Warranty and notice of nonconformity
When you submit a notice of nonconformity about a product or when our warranty undertaking
applies, you are given the opportunity to provide information about any loss, damage or injury.
Information about loss, damage or injury often means health data, and we are not permitted to
process health data without your consent. If data needs to be processed based on consent, you will
also be made aware of this, as you must actively consent to the processing of sensitive personal
data.

Other data, such as name, address, email address, phone number, serial number and the size of
your Hövding, is processed in order to handle notice of nonconformity cases or warranty cases. The
legal basis for processing personal data in connection with a notice of nonconformity is derived from
Swedish consumer law, and for warranty cases it is derived from our terms and conditions of sale and
thus the contract of sale between you and us.

Product development
Certain information you provide in connection with a notice of nonconformity or warranty for a new
Hövding may, with our legitimate interest, be used for product development purposes. Please note
here that if you provide sensitive personal data, i.e. data concerning any injury following an accident,
such data must be processed with your consent. You are under no obligation to give consent, and
you will be made aware of any such processing as soon as it becomes relevant.

Market research
When you have purchased our Hövding and are using it, your opinion is important to us.
Consequently, we have a legitimate interest in contacting you for market research purposes. The aim
of our market research is to develop our products and other services.

You are always able to decide whether you want to participate in our market research or not. We
never share your data with any party that has nothing to do with our market research.

Direct marketing
While you are our customer, i.e. for as long as you have an interest in being in contact with us (for
example via a notice of nonconformity, a warranty or other services), we have a legitimate interest in
sending advertising to you, for example by email. You are, of course, permitted to notify us that you
do not wish to receive direct marketing, in which case your data will not be used for direct
marketing. This legitimate interest lasts for one (1) year after you have ceased to be our customer,
provided that you have not notified us that you do not wish to receive direct marketing.

Hövding does not intentionally process data from children or minors and does not carry out any
marketing directed at children or minors.

Marketing
We may use your email address to market ourselves and our products to other potential
customers. This is done by transferring your email address to Facebook, for example, which, in turn,
offers a service in which your email address is used to identify potential new customers by means of
advertising. Please note that we have ensured, via a contract, that your email address is not used for
any purpose other than this.

The data that is provided, among other things, via the consent mentioned under Warranty
and notice of nonconformity
may also be used for marketing purposes. We sometimes identify
an interest in republishing all or part of the data in order to create a good story. We will certainly use
any sensitive personal data if an accident resulted in injury, but we will always ensure your right to
privacy. Consequently, we will naturally contact you first if we want to use your name or other
identifiable information.

Recruitment
We have a legitimate interest in processing your personal data in connection with recruitment in
order to receive and process applications and evaluate your suitability for the position for which you
are applying. With your consent, we may also evaluate your suitability for future positions that may
become vacant.

Personal data in connection with recruitment is primarily collected from you, but may be
combined with data collected from other sources, for example social media for professional purposes
and/or your referees.

If we decide to employ you, your personal data will be processed in compliance with our privacy
policy for employees.

If we decide not to employ you, your personal data will be erased as soon as the recruitment
process has been completed, except where we have obtained your consent to evaluate your
suitability for future positions. Read more below about how to withdraw your consent.

Other information
We have a legitimate interest in processing your personal data when you contact us, for various
reasons, by email, by phone or using one of our contact forms. The data is stored while the case is
active, and is subsequently erased.

Do we share your personal data?

To permit us to meet our obligations under the contract of sale, we share your personal data with
suppliers and other partners. These are companies that help us with:

1) delivery and ordering (logistics companies),
2) payment solutions (card acquisition companies, banks and other payment service providers),
and
3) marketing. We may share your email address with companies that help us with digital marketing
(primarily Facebook).

The sharing of personal data described above is entirely in compliance with existing data
protection legislation.

Use of the Hövding app (mobile application)

Depending upon which of the Hövding app’s functions you choose to activate, different types of
personal data will be processed. If you choose to use all of the Hövding app’s functions, we need to
collect localisation data, i.e. data concerning your geographic location. Using the location data, we
create statistics showing for instance where and how far you have cycled and at which speed,
together with an estimate as to how many calories you have burned cycling. Statistics that constitute
personal data will be processed and protected using appropriate technical and organisational
security measures, and is intended for use only by you.

If “My ICE contacts” is activated, the ICE (In Case of Emergency) contacts that you have submitted
will receive an SMS message in case your Hövding helmet is inflated. Such an SMS message will also
contain data concerning your approximate location. When you submit an ICE contact in the Hövding
app, a confirmation SMS message will be sent to the ICE contact’s phone number submitted by you,
informing the ICE contact of the registration. Data will be processed by us for a period of up to one
(1) year after you have ceased using the Hövding app. Hövding will consider your use of the Hövding
app to have ceased when you actively deactivate your account.

The Hövding app will process personal data for Hövding’s legitimate interests. The determination
of Hövding’s legitimate interests will be made in light of your own choices to activate or deactivate
the functions offered in the Hövding app.

Hövding may use anonymised data from the Hövding app for the purposes of developing or
improving its own or its third-party partners’ products or services. Anonymised data is data from
which your identity cannot be derived.

Online & profiling

As mentioned under Marketing (above), physical persons (potential customers) may
receive advertising via social media and other channels. If you receive such online advertising, this
means that you match our profile for potential customers. Profile means gender, age or place of
residence, for example. Please note that we do not receive any of your personal data in connection
with online advertising. Therefore, we cannot know whether you will receive or have received online
advertising. Therefore, it is not necessarily the case that you are covered by this information text
simply because you match our profile(s). However, to perform our obligation to provide information
under existing data protection legislation, we do not want to exclude anything or anyone.

Retailers and partners

If you are an existing or potential retailer and/or partner, we process personal data to maintain
or enable a business relationship. The personal data concerns contacts and includes name, phone
number, email address, position and delivery address. In addition, we may process the above
personal data for development purposes, for example to measure customer satisfaction. We have a
legitimate interest in processing the personal data of retailers and partners.

Criteria for how long we store your personal data

The legal basis for and purpose of processing personal data determine how long we store the
data. There are often statutory requirements (for example in the Swedish Accounting Act
(1999:1078)) to store personal data for a certain maximum period (7-8 years in the Swedish
Accounting Act). If there are no such statutory requirements, we store your personal data until we no
longer need it.

The storage period is often assessed on a case-by-case basis and determined according to aspects
such as the type of data, why the data was collected, for what purpose it was collected and how long
you have an interest, as our customer, in our storing your personal data. For example, we store
customers’ personal data for direct marketing purposes for up to one year after the customer
relationship has ended unless the customer has previously requested not to receive direct marketing.
Please note here that a customer relationship ends when the product has been delivered and when
there is no longer any reason for there to be contact between us and the customer.

You are welcome to contact us if you have any questions or thoughts about the storage
period.

Outside the EU/EEA

In the context of some processing outlined in this information text, data may be transferred to
companies outside the EU/EEA. However, the majority of the data, in particular the data that may, in
any way, deprive you of your freedoms and rights, remains in Sweden. With the recipients outside
the EU/EEA to which we may disclose personal data, we have ensured that your personal data is
afforded the protection that we require in accordance with the legally recognised data transfer
mechanisms for transfer outside the EU/EEA.

Your rights

Right of access
You are always entitled to receive confirmation of the personal data we process about you, and to
request a copy or extract of the personal data that is processed. Remember that, if we receive a
request for access, we may ask for further information to ensure that we disclose data to the right
person.

Right to withdraw consent
Where we process your personal data based on consent, you may withdraw your consent at any time
by contacting us. You can find our contact details at the foot of this information text. Remember that
any processing that has already been performed based on your consent before you withdrew your
consent is not affected by your withdrawal of consent.

Right to erasure
You may request erasure of your personal data if it is no longer needed for the purpose for which it
was collected or if:

  • you withdraw your consent and there is no other legal basis for this purpose,
  • you object to our legitimate interest and your grounds for objection carry heavier weight, or
    if
  • your personal data is being processed unlawfully.

We may decline your request for erasure if contractual or other legal obligations prevent us from
complying with it. These obligations are imposed by accounting and tax legislation, consumer law
legislation or where there is a contract between the parties in which rights and obligations remain in
force.

Right to limited processing
You are entitled to request that our processing of your personal data is limited if:

  • you dispute that the data is correct (however, only during a time that permits us to check
    this),
  • the processing is unlawful and you oppose erasure of the personal data and instead request
    limitation of the use of the data,
  • you need the personal data to make or defend legal claims although we no longer need the
    personal data for the purpose of the processing, or
  • you have objected to the processing and we have not checked whether our legitimate interest in
    processing your personal data carries heavier weight than your legitimate grounds for the processing
    of your personal data to be limited.

Right to object
You may also object to all processing of personal data based on our or a third party’s legitimate
interest. For an objection to result in processing ceasing, it is necessary that we are unable to
demonstrate that our legitimate interest carries heavier weight than your interest.

Direct marketing
You are always entitled to object to our using your personal data for direct marketing, for example by
email. You do this by clicking the relevant link in our emails.

Right to data portability
If the processing of your personal data is based on consent or performance of a contract, you are
entitled to request that the data you have submitted to us (about you) is transferred to you and/or
another controller. This can be done only if it is technically feasible.

Right to rectification
Hövding strives to ensure that all data we process is correct. You are entitled to have incorrect data
rectified, for example your name and address. If data is incorrect, it is rectified without delay.

Right to lodge a complaint with a supervisory authority
If you are dissatisfied with how we process your personal data, you are entitled to lodge a complaint
with a supervisory authority. We are subject to the supervision of the Swedish Data Protection
Authority. For more information, please see www.datainspektionen.se

Phone: +46 (0)40-23 68 68
Postal address: Bergsgatan 33, 214 22 Malmö, Sweden
Email address: info@hovding.com