Privacy policy

DATA PROTECTION DECLARATION

Version of December 16, 2025

In this data protection declaration, we, Cannabees GmbH (hereinafter, we or
us), explain how we collect and otherwise process personal data.
Personal data means any information relating to an identified or identifiable natural person.
If you provide us with personal data of other persons (for example, family members, data of
work colleagues), please ensure that these persons are aware of this
data protection declaration and only share their personal data with us if
you are authorized to do so and if this personal data is correct.
This is not an exhaustive description; Other privacy policies or general terms and conditions, terms of participation, and similar documents may govern specific matters. This privacy policy is designed to comply with the requirements of the EU General Data Protection Regulation (“GDPR”) and the Swiss Federal Act on Data Protection (“FADP”). Whether and to what extent these laws apply depends on the individual case. The terms used are not gender-specific. 1. Who can I contact with questions about data protection? Cannabees GmbH, Sentibühlstrasse 3, 6045 Meggen, is responsible for the data processing described here, unless otherwise stated in individual cases. If you have any data protection concerns, you can contact us at the following address: Postal address: Sentibühlstrasse 3, 6045 Meggen; Email: info@cannabees.ch

2 What data do we collect?
We primarily process personal data that we receive from our customers and other business partners in the course of our business relationship with them and other individuals involved, or that we collect from users when operating our websites, apps, and other applications. To the extent permitted,
we also obtain certain data from publicly accessible sources (for example, debt enforcement registers,

land registers, commercial registers, press, internet), from authorities and
other third parties (such as credit agencies, address brokers).
In addition to the data you provide directly to us, the categories of
personal data we receive about you from third parties include, in particular, information from public registers, information we learn in connection with official and
judicial proceedings, information related to your professional
functions and activities (so that we can, for example, conclude and process business with your employer with your assistance), information about you in correspondence and meetings with third parties, credit reports (insofar as we conduct business with you personally), and information about you provided to us by people in your environment (family, advisors, legal representatives, etc.) so that we can conclude contracts with you or involve You
can conclude or process contracts with us (for example, references), your address for
deliveries, powers of attorney, information for compliance with legal requirements such as anti-money laundering regulations and export restrictions, information from banks, insurance companies,
sales and other contractual partners of ours regarding your use or provision of services (for example, payments made, purchases made), information from
media and the internet about you (where appropriate in the specific case, for example, in the context of an application, press review, marketing/sales, etc.), your addresses
and, if applicable, interests and other socio-demographic data (for marketing), data in connection with the use of the website (for example, IP address, MAC address
of the smartphone or computer, information about your device and settings, cookies,
date and time of visit, pages and content accessed, functions used,
referring website, location data).

3 What do we use your data for?
We primarily use the personal data we collect to conclude and process our contracts
with our customers and business partners, in particular within the scope of the following activity:
Sale and trade of CBD products and accessories
In the course of this activity, we collect personal data for business with our customers
and the purchase of products and services from our suppliers and
subcontractors, as well as to comply with our legal obligations at home and abroad.
If you work for such a client or business partner,
your personal data may also be affected in this capacity.
Furthermore, we process personal data from you and other individuals, to the extent permitted and deemed appropriate by us, for the following purposes in which we (and
sometimes third parties) have a legitimate interest corresponding to the purpose:
• Offering and further developing our products, services, and
websites, apps, and other platforms on which we are present;

• Communication with third parties and processing their inquiries (for example,
applications, media inquiries);
• Reviewing and optimizing procedures for needs analysis for the purpose of direct
customer contact, as well as collecting personal data from publicly accessible
sources for customer acquisition;
• Advertising and marketing (including the organization of events), provided you have not objected to the use of your data (if we have informed you as If you, as an existing customer, wish to receive advertising from us, you can object to this at any time; we will then place you on a suppression list to prevent further advertising mailings; • Market and opinion research, media monitoring; • Assertion of legal claims and defense in connection with legal disputes and official proceedings; • Prevention and investigation of criminal offenses and other misconduct (for example, conducting internal investigations, data analysis for fraud prevention); • Ensuring the security of our operations, in particular our IT systems, websites, apps, and other platforms; • Video surveillance to protect our property rights and other measures for IT, building, and facility security and the protection of our employees and other persons, as well as assets belonging to or entrusted to us (such as access controls, visitor logs, network and email scanners, telephone recordings); • Purchase and sale of business units, companies, or parts thereof from companies and other corporate transactions and the associated transfer of personal data, as well as measures for business management and, insofar as this is necessary for compliance with legal and regulatory obligations and internal regulations of Cannabees GmbH. If you have given us your consent to process your personal data for specific purposes (for example, when you register to receive newsletters or undergo a background check), we will process your personal data within the scope of and based on this consent, unless we have and require another legal basis. Consent can be withdrawn at any time, but this will not affect data processing that has already taken place. 4. Cookies/Tracking and other technologies related to the use of our website. We typically use "cookies" and similar technologies on our websites and apps to identify your browser or device. A cookie
is a small file that is sent to your computer and automatically stored on your computer or mobile device by your web browser
when you visit our
website or install our apps. This allows us to recognize you when you revisit this
website or use our app, even if we don't know who you are. In addition to cookies that are only used during a session and

deleted after your website visit ("session cookies"), cookies can also be used
to store user preferences and other information for a specific period of time
(for example, two years) ("persistent cookies"). You can, however, configure your browser
to reject cookies, only store them for a session, or otherwise delete them prematurely. Most browsers are preset to accept cookies. We use persistent cookies to save your user preferences (for example, language, automatic login), to better understand how you use our offers and content, and to show you personalized offers and advertising (which may also happen on other companies' websites; however, these companies do not learn who you are from us, even if we know that ourselves, because they only see that the same user who visited a specific page on our website is also on their website). Some cookies are set by us, and some by our contractual partners. If you block cookies, certain functionalities (such as language selection, shopping cart, and order processes) may no longer work. In our newsletters and other marketing emails, we sometimes include visible and invisible image elements, where permitted. These images, retrieved from our servers, allow us to determine if and when you opened the email. This helps us measure and better understand how you use our offers and tailor them to your needs. You can block this in your email program; most are preset to do so. By using our websites and apps, and by consenting to receive newsletters and other marketing emails, you agree to the use of these technologies. If you do not want this, you must adjust your browser or email program settings accordingly, or uninstall the app if this cannot be adjusted via the settings. We sometimes use Google Analytics or similar services on our websites. This is a service provided by a third party, which may be located in any country in the world (in the case of Google Analytics, it is Google Ireland (based in Ireland), which relies on Google LLC (based in the USA) as a data processor (both "Google", www.google.com), with which we can measure and analyze website usage (non-personally identifiable). This also involves the use of persistent cookies, which are set by the service provider. We have configured the service so that the IP addresses of visitors in Europe are shortened by Google before being forwarded to the USA and therefore cannot be traced back to them. We have deactivated the "Data Sharing" and "Signals" settings. Although we can assume that the information we share with Google is not personal data for Google, it is possible that Google may use this data to draw conclusions about the identity of visitors, create personal profiles, and combine this data with the Google
accounts of these individuals can be linked. If you have registered with the service provider yourself

registered

, the service provider also knows you. The processing of your personal data
by the service provider is then the responsibility of the service provider according to its

privacy policy. The service provider only informs us how our respective
website is used (no information about you personally).
We also use so-called plug-ins from social networks such as
Facebook, Twitter, YouTube, Pinterest, Xing, LinkedIn, or Instagram on our websites. This is always
visible to you (typically via corresponding icons). We have configured these elements so that they are deactivated by default. If you activate them (by clicking),
the operators of the respective social networks can register that you are on our
website and where, and can use this information for their own purposes. The processing of your personal data is then the responsibility of that operator according to its privacy policy. We do not receive any information from them about To you.

5 To whom will my data be disclosed?
As part of our business activities and for the purposes stated in section 3,
we also disclose your data to third parties, insofar as permitted and deemed appropriate by us, either because they
process it for us or because they wish to use it for their own purposes.
This includes, in particular, the following entities:
• Our service providers (such as banks, insurance companies), including
data processors (such as IT providers);
• Dealers, suppliers, subcontractors and other business partners;
• Customers;
• Domestic and foreign authorities, agencies or courts;
• Media;
• The public, including visitors to websites and social media;
• Competitors, industry organizations, associations, organizations and other bodies;
• Acquirers or prospective acquirers of business units;
• Other parties in potential or actual transactions Legal proceedings;
all joint recipients.
If we transfer data to third parties, we comply with the legal requirements and,
in particular, to protect your personal data, we conclude
data processing agreements or similar agreements with the respective
recipients.

6 Will my data be transferred abroad?
We may disclose data to persons, authorities, organizations, companies, or
other bodies abroad. In particular, we may transfer personal data to all
countries where our processors process personal data.
If a recipient is located in a country without adequate legal data protection,
we contractually obligate the recipient to comply with the applicable data protection

(for this purpose, we use the revised Standard Contractual Clauses of the European
Commission, which are available here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?),
unless already subject to a legally recognized set of rules for ensuring data protection and we cannot rely on an exception. An exception may apply, in particular, in legal proceedings abroad, but also in cases of overriding public interest or if contract processing requires such disclosure, if you have given your consent, or if it concerns data that you have made publicly available and whose processing you have not objected to. 7. How long will my data be stored? We process and store your personal data for as long as it is necessary to fulfill our contractual and legal obligations or otherwise for the purposes pursued with the processing, i.e., for example, for the duration of the entire business relationship (from initiation and processing to termination of a contract) and beyond, in accordance with the statutory retention and documentation obligations. It is possible that personal data will be stored for the period in which Claims can be asserted against our company and
to the extent that we are otherwise legally obligated to do so or legitimate
business interests require it (for example, for evidentiary and documentation purposes).
As soon as your personal data is no longer required for the aforementioned purposes,
it will generally be deleted or anonymized to the extent possible. For operational
data (for example, system logs), shorter
retention periods of twelve months or less generally apply.

8 How do we protect your data?
We take appropriate technical and organizational security precautions to protect
your personal data from unauthorized access and misuse.
We already consider the protection of personal data during the development or
selection of hardware, software, or processes through appropriate technical and
organizational measures. Furthermore, we ensure a data protection-friendly
default setting.

9 Am I obligated to disclose my data?
Within the scope of our business relationship, you are not required to disclose the following You provide personal data that is necessary for establishing and conducting a business relationship and fulfilling the associated contractual obligations (you are generally not legally obligated to provide us with data). Without this data, we will generally be unable to conclude or execute a contract with you (or the entity or person you represent). The website also cannot be used if certain information necessary to ensure data transmission (such as your IP address) is not disclosed. 10. Profiling and Automated Decision-Making: We process your personal data partly automatically with the aim of evaluating certain personal aspects (profiling). We use profiling in particular to provide you with targeted information and advice about products. For this purpose, we use evaluation tools that enable us to tailor our communication and advertising to your needs, including market and opinion research. enable.
For the establishment and execution of the business relationship, and also otherwise, we
generally do not use fully automated decision-making (as regulated, for example, in Art.
21 DSG or 22 GDPR). Should we use such procedures in individual cases,
we will inform you separately, provided this is required by law, and
explain your related rights.

11 What data protection rights do I have?
Within the framework of the data protection law applicable to you and to the extent provided for therein (such as in the case of the GDPR), you have the following rights:
• the right to request information from us as to whether and which data we process about you;
• the right to have data corrected if it is inaccurate;
• the right to request the erasure of data;
• the right to request from us the release of certain personal data in a commonly used
electronic format or its transfer to another controller;
• the right to to withdraw your consent, insofar as our processing is based on your consent; the right to request further information necessary for exercising these rights; the right to express your point of view regarding automated individual decisions (section 10) and to request that the decision be reviewed by a natural person. Please note, however, that we reserve the right to assert the legally provided limitations, for example, if we are obliged to retain or process certain data, have an overriding interest in doing so (insofar as we are permitted to rely on such an interest), or require it for the establishment, exercise, or defense of legal claims. If any costs are incurred by you, we will inform you in advance. We have already informed you about the possibility of withdrawing your consent in section 3. Please note that the exercise of these rights may conflict with contractual agreements and This
may have consequences such as early termination of the contract or cost implications.
We will inform you in advance in such cases, unless this is already contractually regulated.
Exercising such rights generally requires you to clearly
prove your identity (for example, by providing a copy of your ID if your identity is not otherwise clear
or verifiable). To assert your rights, you can contact us at the address given in
section 1.
Every data subject also has the right to enforce their claims in court
or to lodge a complaint with the competent data protection authority. The
competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (http://www.edoeb.admin.ch).

12 Amendments
We may amend this Privacy Policy at any time without prior notice. The
current version published on our website applies. If the privacy policy is part of an agreement with you, we will inform you of any changes by email or other suitable means.