FAIR USE AND API POLICY

This Fair Use and API Policy (the “Policy”) sets out the rules for the fair use of the BLLOOG platform and the conditions under which the platform may be accessed programmatically through the BLLOOG application programming interface. It forms an integral part of the General Terms and Conditions available at https://www.blloog.com/policies/gtc-business (B2B) and https://www.blloog.com/policies/gtc-consumers (B2C) (the “Terms”) and must be read together with the Principles of Processing and Protection of Personal Data (the “Privacy Policy”) available at https://www.blloog.com/policies/privacy-policy .

1. Who issues this Policy and whom does it bind?

This Policy is issued by BLLOOG, s.r.o. , with its registered office at Velehradská 1735/28, Vinohrady, 130 00 Prague 3, IČ: 19303378, registered in the Commercial Register maintained by the Municipal Court in Prague, file No. 384441 (“BLLOOG”, the “Provider” or “we”). The Provider operates the website https://www.blloog.com/, the BLLOOG web and mobile applications and the related programming interfaces (together the “Platform”). Where the Provider processes personal data, it does so in the capacity and under the conditions described in the Privacy Policy.

Part A of this Policy (fair use) binds every user of the Platform. Parts B and C bind every person who requests, holds or uses API credentials or otherwise accesses the API — in particular Customers, their employees, developers and Integrators (each an “API User”). By using the Platform, or by requesting or using an API Key, you confirm that you have read this Policy and agree to be bound by it. If you access the API on behalf of a company, you confirm that you are authorised to bind that company.

Questions concerning this Policy may be addressed to contact@blloog.com or to contact@blloog.com. Capitalised terms not defined in this Policy have the meaning given to them in the Terms or in the Privacy Policy.

2. Definitions

• “API” means the Provider’s application programming interfaces, endpoints, webhooks, software development kits and the Documentation;
• “API Key” means any key, token, secret or other credential issued by the Provider for authentication of calls to the API;
• “Customer” means a person that has concluded a contract with the Provider for the use of the Platform;
• “Integrator” means a third party (e.g. a software vendor or telematics provider) that accesses the API on behalf of, and on the instructions of, a Customer;
• “Platform Data” means any data made available through the Platform or the API, including shipment, vehicle, position, document, pricing and communication data;
• “Personal Data” has the meaning given in Article 4(1) of Regulation (EU) 2016/679 (the “GDPR”);
• “Documentation” means the technical documentation of the API.

PART A — FAIR USE OF THE PLATFORM

3. Fair use principle

Services or plans described as “unlimited” or without an express quantitative limit are provided subject to fair use. Use of the Platform must correspond to the ordinary operational needs of a shipper, freight forwarder or carrier of the Customer’s size and must not degrade the quality of the service for other users or place a disproportionate burden on the Provider’s infrastructure.

As guidance, the Provider considers in particular the following to be within fair use:

• retrieval of live vehicle positions at the refresh rates built into the applications (programmatic polling is governed by section 8);
• storage of transport documents (POD photographs, CMR consignment notes, signatures) up to 50 GB per account ;
• use of the in-app chat for business communication relating to transports arranged or managed through the Platform.

Usage that over a period of 30 days exceeds five times the median usage of comparable accounts may be flagged as excessive. In such a case the Provider will normally first contact the Customer to discuss the usage pattern or an appropriate plan before taking any measure under section 5.

4. Prohibited conduct

Regardless of plan or volume, the following is prohibited on the Platform:

• automated scraping, crawling or bulk extraction of Platform Data outside the API made available under Part B, and any systematic extraction or re-utilisation of the whole or a substantial part of the Provider’s databases (which are protected, inter alia, by the sui generis database right under Directive 96/9/EC and Sections 88 et seq. of Act No. 121/2000 Coll., the Copyright Act);
• selling, licensing or otherwise making Platform Data available to third parties outside the performance of the relevant transports;
• creating multiple accounts, or sharing accounts or credentials, in order to circumvent limits or pricing;
• uploading malicious code, interfering with the security or integrity of the Platform, or performing penetration, vulnerability or load testing without the Provider’s prior written consent;
• using the chat or notification functions to send spam or unsolicited marketing;
• using vehicle or driver position data to monitor natural persons outside the performance, documentation and security of transports, contrary to the principles described in the Privacy Policy; and
• any use of the Platform in violation of applicable law, including the GDPR.

5. Consequences of a breach

If the Provider identifies excessive use or a breach of this Part A, it will, as a rule, proceed gradually: (i) it will notify the Customer and provide a remedy period of 7 days ; (ii) if the situation is not remedied, it may throttle the relevant functions or restrict the account; and (iii) in the case of a serious or repeated breach, it may suspend or terminate the account in accordance with the Terms. The Provider may suspend access immediately, without a prior remedy period, where this is necessary to avert a security threat, to comply with a legal obligation, or in the case of a serious breach of section 4. Fees for the period of a suspension caused by the Customer’s breach are not refunded. The Provider’s right to claim damages is not affected.

PART B — API TERMS

6. API access and licence

Access to the API is granted upon registration and approval by the Provider. The Provider may refuse, condition or limit access at its reasonable discretion.

Subject to compliance with this Policy and the Terms, the Provider grants the API User a limited, non-exclusive, non-transferable, non-sublicensable and revocable licence, for the duration of the contract, to access the API and use the Documentation solely in order to develop and operate an integration for the API User’s own logistics operations and for serving its own clients in connection with transports arranged or managed through the Platform. No other rights are granted; the Provider retains all rights to the Platform, the API, the Documentation and the databases.

7. API Keys and security

• API Keys are confidential. The API User must keep them secure, must not share them with third parties (other than an Integrator acting on its behalf) and must not embed them in publicly accessible client-side code or public repositories;
• a separate API Key should be used for each application and environment (production / testing);
• the API User is responsible for all activity carried out under its API Keys;
• all API communication must use TLS encryption; credentials must be stored securely and access to them limited to persons who need it;
• if the API User suspects that an API Key has been compromised, it must notify the Provider without undue delay at contact@blloog.com and rotate the key; and
• the Provider may rotate, suspend or revoke API Keys where reasonably necessary for security reasons; it will inform the API User without undue delay.

8. Rate limits and technical conduct

Unless a different limit is agreed in writing or stated for the relevant plan in the Documentation, the following default limits apply: 600 requests per minute per API Key . For shipment status changes and position events, API Users should use webhooks where available instead of high-frequency polling; bulk endpoints should be used for historical data.

Requests exceeding the applicable limits will receive an HTTP 429 response. The API User must handle such responses with an exponential back-off and must not generate retry storms, parallelise calls, or use multiple API Keys or accounts in order to circumvent the limits. Non-personal reference data may be cached for up to 8 hours ; the API User must not use caching to build a permanent independent copy of the Provider’s databases. The caching and retention of Personal Data, including position data, is governed by section 11.

The Provider monitors the volume and patterns of API usage (technical metadata of calls) to the extent necessary to enforce this Policy, to secure the Platform and to plan capacity.

9. Permitted and prohibited use of the API

Permitted use. The API may be used in particular to: integrate the Platform with the API User’s own transport-management, ERP or telematics systems; display the tracking of the API User’s own shipments to its own clients; automate the exchange of transport documents; and analyse the API User’s own shipments and operations.

Prohibited use. The API User must not:

• use the API or Platform Data to develop, offer or operate a product or service that substitutes for, or competes with, the Platform, or aggregate Platform Data with data of other persons in order to create a competing freight exchange, carrier database or comparable dataset;
• access the Platform programmatically other than through the documented endpoints, or circumvent any technical restriction or access control;
• reverse engineer, decompile or disassemble the Platform, except to the extent that such a restriction is prohibited by mandatory provisions of applicable law (e.g. Section 66 of the Czech Copyright Act and Directive 2009/24/EC);
• use the API or Platform Data to develop, train, fine-tune or improve any machine-learning or artificial-intelligence model, except with the Provider’s prior written consent;
• resell API access, act as a data broker in respect of Platform Data, or misrepresent the identity of the application making the calls; or
• introduce malicious code into the Platform or test its limits or security without the Provider’s prior written consent.

10. Changes, versioning and availability of the API

The API is versioned. The Provider may develop the API over time; backwards-incompatible changes to a stable version will be announced at least 6 months in advance via e-mail to the registered technical contact , except where an immediate change is required for security or legal reasons. Deprecated versions remain available for the announced transition period.

The API is provided “as is” and “as available”. Unless a service-level agreement has been concluded separately in writing, the Provider does not guarantee any specific availability or response times; planned maintenance is announced in advance.

PART C — PERSONAL DATA ACCESSED THROUGH THE API

11. Data protection obligations of API Users

The API provides access to Personal Data, in particular: the live and historical position of vehicles and drivers; identification and contact data of drivers and contact persons; the content of in-app chat communication; and transport documents (POD photographs, CMR consignment notes, signatures), which may contain personal data of third persons. Each party processes Personal Data in compliance with the GDPR and applicable data-protection law. The processing carried out by the Provider is described in the Privacy Policy.

Roles. (a) Where a Customer retrieves Personal Data through the API for its own purposes (in particular the performance, documentation, invoicing and security of its own transports), the Customer acts as an independent controller of that data from the moment of retrieval. (b) An Integrator accessing the API on behalf of a Customer acts as that Customer’s processor and must have concluded a data-processing agreement pursuant to Article 28 GDPR with the Customer; the Provider may request evidence of it. (c) Where the Provider processes Personal Data on behalf of a Customer, the separate data-processing agreement between them applies and prevails over this section.

When handling Personal Data obtained through the API, the API User must in particular:

• process it only for the performance, documentation, invoicing and security of the relevant transports and for purposes compatible with them, and ensure that it has a valid legal basis for its own processing;
• not use it for marketing directed at the data subjects without its own lawful basis, and not use it to enrich third-party databases;
• not use position, telematics or activity data to create behaviour scores, rankings or performance profiles of individual drivers, or to make automated decisions significantly affecting drivers, except under a separate written agreement with the Provider and provided that the API User has a valid legal basis and has fulfilled its transparency obligations towards the drivers concerned;
• apply data minimisation and limited retention; in particular, not build permanent archives of position data and not retain position data for longer than 12 months from the end of the relevant transport (in line with the retention periods in the Privacy Policy), unless it is needed for the establishment, exercise or defence of legal claims;
• implement appropriate technical and organisational measures (including encryption in transit and access controls);
• disclose it onward only to the participants in the relevant transport or where required by law;
• cooperate in the handling of data-subject requests and forward to contact@blloog.com (or the DPO identified in the Privacy Policy) any request that concerns processing carried out by the Provider;
• notify the Provider without undue delay at contact@blloog.com of any personal-data breach involving Personal Data obtained through the API, where the breach may affect the Provider’s own obligations; and
• upon termination of API access, delete the retained Personal Data in accordance with section 14.

Transfers outside the EU/EEA. If the API User processes Personal Data obtained through the API outside the European Union / European Economic Area, it must ensure a valid transfer mechanism under Chapter V GDPR (an adequacy decision — including the EU–U.S. Data Privacy Framework where the recipient holds a current certification — or appropriate safeguards such as the Standard Contractual Clauses) and must inform the Provider of the mechanism used upon request.

Uploads. An API User that uploads documents or other content through the API warrants that it is entitled to do so, including in respect of any personal data of third persons contained in them (e.g. the name and signature of the consignee’s employee).

PART D — COMMON PROVISIONS

12. Intellectual property and feedback

The Platform, the API, the Documentation and the Provider’s databases are protected by copyright, the sui generis database right and other intellectual-property rights of the Provider or its licensors. If the API User provides the Provider with suggestions or feedback, the Provider may use them without restriction and without remuneration. The “BLLOOG” name and logo may be used only in accordance with the Provider’s brand guidelines and with the Provider’s prior written consent and never in a way suggesting endorsement of the API User’s product.

13. Confidentiality

Non-public parts of the Documentation, API Keys, non-public technical information about the Platform and individually agreed pricing are the Provider’s confidential information. The API User must protect it, use it only for the purposes permitted by this Policy and not disclose it to third parties (other than to an Integrator bound by equivalent obligations). This obligation survives the termination of API access for 3 years .

14. Suspension and termination of API access

The Provider may suspend API access immediately where this is necessary to avert a security threat, where it reasonably suspects unlawful processing of Personal Data obtained through the API, in the case of a serious or repeated breach of this Policy, or where required by law. In other cases of breach, the Provider will first call upon the API User to remedy the breach within 7 days . Either party may terminate API access in accordance with the Terms.

Upon termination of API access for any reason, the API User must cease using the API, and must delete or destroy the Platform Data in its possession, including Personal Data, within 30 days , except for data that the API User is legally obliged to retain or that it needs for the establishment, exercise or defence of legal claims (in line with the principles described in the Privacy Policy); upon request, it will confirm the deletion in writing. Sections 11 (in respect of retained data), 12, 13, 15 and 17 survive termination.

15. Warranties and liability

The Platform Data is provided “as is”. Position data in particular depends on the availability and accuracy of GPS signals, mobile networks and end devices; the Provider therefore does not guarantee continuous, complete or precise positioning information, and the API User must not rely on it as the sole input for safety-critical decisions.

To the maximum extent permitted by law, the Provider is not liable for indirect or consequential damage or lost profit arising from the use of the API, and the Provider’s aggregate liability arising from or in connection with the API is limited to the fees paid by the API User for the affected services in the 12 months preceding the event giving rise to the claim . Nothing in this Policy excludes or limits liability that cannot be excluded or limited under mandatory provisions of Czech law (in particular Section 2898 of Act No. 89/2012 Coll., the Civil Code). The API User will compensate the Provider for harm incurred as a result of third-party claims caused by the API User’s breach of this Policy, including unlawful processing of Personal Data obtained through the API.

16. Changes to this Policy

The Provider may amend this Policy to a reasonable extent within the meaning of Section 1752 of the Civil Code, in particular to reflect the development of the Platform, of the API or of legal requirements. Amendments will be notified at least 30 days before they take effect, via the Platform or by e-mail. If the API User does not agree with an amendment, it may terminate the use of the API before the amendment takes effect; continued use after the effective date constitutes acceptance. Amendments required by law or by urgent security needs may take effect immediately.

17. Final provisions

This Policy is governed by the laws of the Czech Republic. Disputes will be resolved by the courts of the Czech Republic having jurisdiction according to the Provider’s registered office. In the event of a conflict, the following order of precedence applies: an individually concluded written agreement (including any data-processing agreement), the Terms, Privacy Policy, this Policy, the Documentation. If any provision of this Policy is or becomes invalid or unenforceable, the remaining provisions remain unaffected.

This Policy is valid and effective from 16 June 2026 .