With this Data Protection Statement, Fam. Vidal (hereinafter Vidal, we or us), describes how we collect and further process personal data.

This Data Protection Statement is in line with the EU General Data Protection Regulation (GDPR).  Although the GDPR is a European Union (EU) regulation, it may be relevant for us. The Swiss data  protection legislation (FADP) is heavily influenced by EU law. In addition, companies outside the  European Union or the European Economic Area (EEA) must comply with the GDPR in certain  cases.

This Privacy & Cookies Statement describes how the website Madihome.com represented by its owner, Mr Jacopo Vidal, he collects, uses, shares, and  otherwise processes Personal Data about:

• Visitors to our websites;
• Any other individuals about whom the Company obtains Personal Data.

This Data Protection Statement is not necessarily a comprehensive description of our data  processing.

Definitions

In this Privacy & Cookies Statement, “Personal Data” means information that enables you to be  identified as an individual or recognized directly or indirectly.

Data Controller: Vidal has determined the purposes for which, and the manner in which, your  Personal Data is processed. The Data Controller has overall responsibility for compliance with the  Data Protection Laws. Any questions about the operation of this Notice or any concerns that the  Notice has not been followed should be referred in the first instance to Rickert  Rechtsanwaltsgesellschaft mbH / Vidal/ Colmantstraße 15 / 53115 Bonn / Germany / art-27- rep-vidal@rickert.law.

Data Processor: Any person or organisation that is not a Data User that processes personal data on our  behalf and in accordance with our specific instructions. Our staff will be excluded from this  definition but, the definition could include suppliers and distributors who handle personal data on  our behalf.

EU Representative: According to Art.27 GDPR, a representative must be appointed in at least one EU  country when the company is based outside the European Union as long as the processed data  pertains to data subject in the Union.

Our EU-GDPR representative according to Art. 27 GDPR is Rickert Rechtsanwaltsgesellschaft mbH / Vidal / Colmantstraße 15 / 53115 Bonn / Germany /art-27-rep-vidal@rickert.law.

We primarily use collected data in order to conclude and process contracts with our clients and  business partners, in particular in connection with MADI’s promotion, distribution and sale.

The purposes for which we process your data are the following:

– to fulfil our contractual obligations and responsibilities to you.

– to respond to your requests, queries, and problems.

– to provide you with updates on Madihome-related activities and products.

We typically use “cookies” and similar techniques on our websites which allow for an identification  of your browser or device. A cookie is a small text file that is sent to your computer and automatically  saved by the web browser on your computer or mobile device, when you visit our website. If you  revisit our website, we may recognize you, even if we do not know your identity. Besides cookies  that are only used during a session and deleted after your visit to the website (“session cookies”), we  may use cookies in order to save user configurations and other information for a certain time period  (e.g., two years) (“permanent cookies”). Nevertheless, you may configure your browser settings in a  way that it rejects cookies, only saves them for one session or deletes them prematurely. Most  browsers are pre-set to accept cookies. We use permanent cookies in order to understand how you  use our services and content. If you block cookies, it is possible that certain functions (such as e.g.,  language settings, shopping basket, ordering processes) are no longer available to you. We may use  Google Analytics or similar services on our website. These are services provided by third parties,  which may be located in any country worldwide (in the case of Google Analytics Google LLC is in  the U.S., www.google.com) and which allow us to measure and evaluate the use of our website (on  an anonymized basis). For this purpose, permanent cookies are used, which are set by the service  provider. The service provider does not receive (and does not retain) any personal data from us, but  the service provider may track your use of the website, combine this information with data from  other websites you have visited and which are also tracked by the respective service provider, and  may use this information for its own purposes (e.g., controlling advertisements). If you have  registered with the service provider, the service provider will also know your identity. In this case,  the processing of your personal data by the service provider will be conducted in accordance with  its data protection regulations. The service provider only provides us with data on the use of the  respective website (but not with any personal information on you).

In the context of our business activities and in line with the purposes of the data processing set out  in Section 2, we may transfer data to third parties, insofar as such a transfer is permitted and we  deem it appropriate, in order for them to process data for us or, as the case may be, their own  purposes. In particular, it may be necessary for us to disclose your Personal Data to the following categories of recipients:

• our service providers (such as e.g., banks, insurance companies), including processors (such  as e.g., IT providers);
• suppliers, subcontractors (such as surveyors, notaries and MADI experts) and other  business partners.

In selecting this service provider, we ensured that data protection standards established by these  terms and conditions could be maintained by the service provider; that in the course of processing  conducted by the service provider personal data is only transferred to countries that have been  deemed to provide an adequate level of protection for personal data by the European Commission  (see European Commission: Adequacy of the protection of personal data in non-EU countries); and  that the service provider is part of the Privacy Shield which requires them to provide similar

protection to personal data shared between Europe and the US (for further details, see European  Commission: EU-US Privacy Shield).

Or in certain situations:

• If we are under a duty to disclose or share your Personal Data in order to comply with any  legal obligation, lawful requests, court orders and legal process.
• To enforce or apply any contract or other agreement with you.
• To protect our rights, property, or safety and that of our employees, members, or others, in  the course of investigating and preventing money laundering and fraud.

Certain Recipients may be within Switzerland, but they may be located in any country worldwide.  We shall only transfer any Personal Data we hold to a country outside the European Economic Area  (“EEA”), if one of the following conditions applies:

• The country to which your Personal Data shall be transferred ensures an adequate level of  protection and can ensure your legal rights and freedoms.
• You have given your consent that your Personal Data is transferred.
• The transfer is necessary for one of the reasons set out in the enactments, including the  performance of a contract between you and us, or to protect your vital interests.
• The transfer is legally required on important public interest grounds or for the  establishment, exercise or defence of legal claims.
• The transfer is authorised by the competent Data Protection Authority and we have received  evidence of adequate safeguards being in place regarding the protection of your privacy, your  fundamental rights and freedoms, and which allow your rights to be exercised.

The Personal data we hold may also be processed by staff operating outside the EEA who work for  us or for one of our suppliers. Those Data Users may be engaged in, among other things, the fulfilment  of contracts with you, such as the processing of payment details and/or the provision of support  services.

We process and retain your personal data as long as required for the performance of our contractual obligations and compliance with legal obligations or other purposes pursued with the processing, i.e. for the duration of the entire business relationship (from the initiation, during the performance of the contract until it is terminated) as well as beyond this duration in accordance with legal retention and documentation obligations. Personal data may be retained for the period during which claims can be asserted against our company (i.d. particularly during legal prescription periods) or insofar as we are otherwise legally obliged to do so or if legitimate business interests require further retention (e.g., for evidence and documentation purposes). As soon as your personal data is no longer required for the above-mentioned purposes, it will be deleted or anonymized, as far as possible. In general, shorter retention periods, of no more than twelve months, apply for operational data (e.g., system logs).

We have taken appropriate technical and organizational security measures to protect your personal data from unauthorized access and misuse such as internal policies, training, IT and network security solutions, access controls and restrictions, encryption of data carriers and transmissions, pseudonymisation, inspections.

In the context of our business relationship, you must provide us with any personal data that is necessary for the conclusion and performance of a business relationship and the performance of our contractual obligations. As a rule, there is no statutory requirement to provide us with data. Without this information, we will usually not be able to enter into or carry out a contract with you (or the entity or person you represent). In addition, the website cannot be used unless certain information is disclosed to enable data traffic (e.g., IP address).

In accordance with and as far as provided by applicable law (as is the case where the GDPR is  applicable), you have the following rights.

– To access: You are entitled to request access to your Personal Data unless providing a copy would  adversely affect the rights and freedoms of others. You can also request information about the  different categories and purposes of data processing; recipients or categories of recipients who  receive your Personal Data, details on how long your Personal Data is stored for, information on your  Personal Data’s source and whether the Data Controller uses automated decision making. You also  have “Data Portability” rights which includes the right to request a copy of your Personal Data be  sent to you or transmitted to another Data Controller.

– To rectify: You are entitled to request we correct or complete your inaccurate or incomplete Personal  Data without undue delay, and we will update the information and erase or correct any inaccuracies  as required.

– To erase: You can exercise your “right to be forgotten” and can request we erase your Personal Data.  Once receiving a request, we must erase the Personal Data without delay, unless an exception applies  that permits us to continue processing your data.

– To restrict: You may request restrictions be applied to the processing of your Personal Data for some  specific reasons such as you contest the accuracy of the data, the processing is unlawful or if we no  longer need to process your Personal Data. You can also request restrictions be applied if the  processing is being done for public interest or third-party reasons.

– To object: You may also object to your Personal Data being processed under certain circumstances.  If we receive such an objection, we will stop processing your Personal Data unless we can show a  compelling legitimate ground for processing your Personal Data which overrides your interests and  the basis of your request.

Please note, however, that we reserve the right to enforce statutory restrictions on our part, for  example if we are obliged to retain or process certain data, have an overriding interest (insofar as we  may invoke such interests) or need the data for asserting claims.

If you feel that your questions or concerns regarding your Personal Data have not been dealt with  adequately or that your request has not been fulfilled by us, you can use our complaints procedure,  by emailing us at art-27-rep-vidal@rickert.law 

In addition, every data subject has the right to enforce his or her rights in court or to lodge a  complaint with the competent data protection authority.

The competent data protection authority of Switzerland is the Federal Data Protection and  Information Commissioner (http://www.edoeb.admin.ch).

We may amend this Data Protection Statement at any time without prior notice. The current version published on our website shall apply. If the Data Protection Statement is part of an agreement with you, we will notify you by e-mail or other appropriate means if there is an amendment.