INTERNAL DATA PROTECTION POLICY

Internal governance document of LakeHouse S.à r.l-S. Confidential. Do not publish.

DOCUMENT CLASSIFICATION

• Nature: Internal policy — governance document.
• Recipients: employees, consultants, interns and providers with access to personal data.
• External distribution: prohibited without the express authorization of the Board of Managers.
• Role: serves as proof of compliance under Article 5(2) of the GDPR (accountability principle) in the event of a CNPD audit.

1. Purpose and scope

This policy defines the rules, responsibilities and procedures applied by LakeHouse S.à r.l-S (hereinafter "the Company"), operating the Fantino® brand, regarding the protection of personal data, in accordance with Regulation (EU) 2016/679 (hereinafter "GDPR") and the Luxembourg law of 1 August 2018 organizing the National Commission for Data Protection and the general data protection regime.

It applies to all employees, consultants, interns and providers who have access, directly or indirectly, to the personal data processed by the Company. Compliance with it is a condition for maintaining access.

2. Guiding principles

All processing of personal data carried out by the Company respects the principles set out in Article 5 of the GDPR:

• Lawfulness, fairness and transparency.
• Purpose limitation: data is only collected for explicit, specified and legitimate purposes.
• Minimization: only strictly necessary data is collected.
• Accuracy: data is kept up to date; inaccurate data is deleted or rectified without delay.
• Storage limitation: data is not kept beyond the period necessary for the intended purpose.
• Integrity and confidentiality: all appropriate measures are taken to ensure the security of the data.
• Accountability: the Company is able to demonstrate compliance with these principles.

3. Governance and responsibilities

3.1 Data controller

The data controller is LakeHouse S.à r.l-S, represented by its Board of Managers. The Board of Managers is the ultimate decision-making body regarding data protection.

3.2 Data protection contact

Given the size of the Company and the nature of its processing, the formal appointment of a Data Protection Officer (DPO) is not mandatory under Article 37 of the GDPR. A Data Protection Contact (hereinafter "Contact") is nevertheless appointed internally by decision of the Board of Managers.

Name of the Contact: [to be completed].
Email: contact@fantinolux.com

The Contact:

• Is the single point of contact for any question, request to exercise rights and incident report.
• Maintains the register of processing activities.
• Coordinates the response to requests to exercise rights and to data breaches.
• Conducts the annual compliance review.
• Reports at least once a year to the Board of Managers.

3.3 Individual responsibilities

• Each employee is personally responsible for compliance with this policy within the scope of their duties.
• Any serious breach may give rise to disciplinary sanction up to and including dismissal for misconduct.
• Providers are bound by equivalent obligations via their subcontracting contract.

4. Register of processing activities

The Company keeps and maintains a register of processing activities in accordance with Article 30 of the GDPR. For each processing operation, it mentions:

• The purpose.
• The categories of data subjects and the categories of data.
• The actual and potential recipients.
• The legal basis (Article 6 and, where applicable, Article 9 of the GDPR).
• The retention period and the criteria determining it.
• The technical and organizational security measures.
• Any transfers outside the European Union and their legal framework.

The register is reviewed at least once a year, or whenever there is a notable change (new tool, new provider, new collection channel).

5. Inventory of processing operations

The main processing operations identified are as follows:

• Customer and order management (legal basis: performance of the contract).
• Keeping patterns and workshop archives, including body measurements (legal basis: performance of the contract; extended duration justified by the bespoke nature — see public privacy policy, section 3).
• Invoicing and accounting (legal basis: legal obligation — 10 years).
• Newsletter and commercial communications (legal basis: consent, revocable at any time).
• Site management, non-essential cookies, audience measurement (legal basis: consent; legitimate interest for strictly necessary cookies).
• Management of human resources and providers (legal basis: performance of the contract / legal obligation).
• Editorial photographs and customer testimonials (legal basis: explicit consent).

6. Reinforced processing of body measurements

The Company recognizes that body measurements, although necessary for the performance of its activity, may be perceived as intimate and, depending on the circumstances and their precision, approach health data within the meaning of Article 9 of the GDPR.

As such, it applies, as a precautionary principle, reinforced measures detailed in the public privacy policy (section 3) and recalled below:

• Access strictly limited to the tailors, cutters and workshop staff directly involved in the order.
• Storage on an encrypted system, separate from marketing or accounting tools.
• Pseudonymization during exchanges with partner workshops.
• Formal prohibition of misuse (personal photography, export, external sharing).
• Possible physical archiving under secure conditions (locked cabinets, access-controlled premises).

7. Security measures

• Encryption in transit (HTTPS/TLS) on the site and in all external exchanges.
• Encryption at rest for databases containing measurements and sensitive data.
• Access to databases via individual identifiers, with strong passwords, renewed periodically.
• Two-factor authentication (2FA) on critical tools (email, hosting platform, CRM, accounting tool).
• Encrypted backups, at regular frequency, kept separately.
• Automatic locking of workstations after inactivity; prohibition on keeping data on unencrypted removable media.
• Annual staff training in data protection and cybersecurity.

8. Subcontracting

Any subcontracting relationship involving access to personal data is governed by a processing agreement compliant with Article 28 of the GDPR, signed prior to the start of operations.

Each processor is subject to an assessment of its guarantees: any certifications, location, security measures, history of breaches. The list of processors is kept up to date by the Contact and appended to the register of processing operations.

9. Procedure for managing requests to exercise rights

1. Receipt of the request by email, post or at the showroom.
2. Acknowledgement of receipt sent within 72 hours.
3. Reasonable verification of the requester's identity.
4. Examination and response within a maximum period of one month (extendable by two months for complex requests, with reasoned information).
5. Traceability: each request is recorded in a dedicated register (date, nature, action taken).

10. Procedure in the event of a data breach

1. Any incident or suspected incident is immediately reported to the Contact.
2. Assessment of the risk to the data subjects within 24 hours.
3. Notification to the CNPD within 72 hours if the risk is established (Article 33 of the GDPR).
4. Information of the data subjects if the risk to their rights and freedoms is high (Article 34).
5. Complete recording in the breach register: nature, consequences, measures taken.
6. Formalized feedback to prevent recurrence.

11. Impact assessment (DPIA)

A data protection impact assessment (DPIA) is conducted prior to any new processing likely to result in a high risk to the rights and freedoms of individuals, in accordance with Article 35 of the GDPR. The Contact is responsible for steering it.

12. Training and awareness

Every new employee receives data protection awareness training within the first two weeks of their arrival. An annual refresher session is organized for all staff. A concise written document is permanently available.

13. Review and update

This policy is reviewed at least every twelve months by the Contact, and at each notable regulatory or organizational change. Changes are submitted to the Board of Managers for adoption. The version in force is signed and dated.

14. Sanctions

• For employees: proportionate disciplinary sanction, up to and including dismissal for serious misconduct in the event of deliberate or repeated breach.
• For providers: termination of the contract at the exclusive fault of the processor, without prejudice to claims for compensation.
• Where applicable, reporting to the competent authorities if the facts constitute an offence.

Appendix — Register of key contacts

• Data controller: LakeHouse S.à r.l-S
• Registered office: 25B Boulevard Royal, L-2449 Luxembourg
• RCSL: B300387
• Data protection contact: [Name — to be completed]
• Supervisory authority: CNPD — 15 Boulevard du Jazz, L-4370 Belvaux
• Host: Hostinger International Ltd. (Cyprus, EU)