PRINCIPLES OF PROCESSING AND PROTECTION OF PERSONAL DATA

We protect and process all personal data as confidential. We handle personal data only in accordance with the applicable legislation and for the relevant purpose. The processing of personal data is carried out in accordance with Regulation (EU) 2016/679 (the “GDPR”), Act No. 110/2019 Coll., on the Processing of Personal Data, and Act No. 480/2004 Coll., on Certain Information Society Services, as amended.

In this document we wish to provide you with basic information about the personal data we obtain from you and process — in particular in connection with the operation of our logistics platform, including live shipment tracking, payments, in-app communication and transport documents. At the same time, we wish to inform you of the rights you have as a data subject.

1. Who processes your data?

Your data is processed and handled by the controller BLLOOG, s.r.o. , with its registered office at Velehradská 1735/28, Vinohrady, 130 00 Prague 3, IČ: 19303378, registered in the Commercial Register maintained by the Municipal Court in Prague, file No. 384441 (the “Controller”), including its employees and cooperating persons. For the purposes of handling and processing your personal data, this entity is the controller of the personal data within the meaning of Article 4(7) GDPR.

You may contact the Controller at the e-mail address contact@blloog.com, or at the correspondence address Durychova 101/66, 142 00 Praha 4 – Lhotka, Czech Republic. The Controller operates the website https://www.blloog.com/, the relevant sub-pages and the BLLOOG mobile and web applications (together the “platform”).

The Controller has appointed a Data Protection Officer (“DPO”). You may contact the DPO with any question or request concerning the processing of your personal data at: dpo@blloog.com , or in writing at the Controller’s correspondence address marked “DPO”.

On the Controller’s behalf, personal data is handled by its employees and contractual partners, always to the extent necessary to perform the Controller’s tasks. These persons are bound by a statutory or contractual duty of confidentiality. They handle the personal data received only in the cases and for the purposes laid down by law or by contractual arrangement, to fulfil the Controller’s legitimate interest, or under a consent voluntarily granted by you. Employees and other personnel are trained in handling personal data under the principle that they know and work only with the personal data they actually need for their work.

On the basis of the personal data obtained, and through preferences identified within the user section of the platform, the Controller may recommend certain services and/or products of third parties related to the data you have provided and to your conduct. It may also enable recommendations within the application and broker contact between business partners and users.

2. Whose personal data do we process (data subjects)?

Personal data is any information that, alone or in combination with other information, identifies a specific natural person or by which a specific person is identifiable. A data subject is a person whose personal data is being processed, that is predominantly:

• Users / Clients — persons to whom services in the Controller’s field are provided (shippers, freight forwarders, carriers and their staff using the platform), or other persons who move within the Controller’s environment (e.g. a website visitor or a participant of an event held by the Controller);
• Drivers — natural persons who perform transports arranged or managed through the platform and whose vehicle position, transport documents and in-app communication are processed in connection with the performance of a specific transport. Drivers may be employees or contractors of the Controller’s customers (carriers);
• Business partners — persons offering or providing services under a contractual relationship with the Controller, or interested in the Controller’s services or products, as well as persons whose data is communicated or made available to the Controller in connection with providing services to clients (for example contact persons, acting persons and their representatives, holders and owners of bank accounts), or learned in the course of the Controller’s business activity;
• Employees and contractual partners of the Controller engaged in the operation and provision of the platform (e.g. their employees, representatives, or persons authorised to act in connection with providing electronic functions in the application);
• Natural persons acting as public officials in the exercise of public authority (e.g. for an administrative authority, court, or other state-administration body).

3. What personal data do we process?

The quantity, scope and nature of the personal data vary depending on your legal relationship with the Controller (a client provides data different from that of a driver, an employee or a business partner). Fields marked as mandatory at the point of collection are necessary for the conclusion or performance of the relevant contract; if you do not provide them, we will not be able to provide you with the relevant service. In particular, we process the following categories of personal data:

a) Identification and contact data. First name, surname and title; date of birth where needed for identification; company identifiers (IČO, DIČ / VAT No.); registered office, billing and delivery addresses; e-mail address, telephone number and data-box ID; user account identifiers; details of representatives and contact persons; and, where required for identification or anti-money-laundering duties, identity-document data.

b) Account and usage data. Login data, account settings and preferences, log records, IP address, device and browser identifiers, and data on your movements within the website and the application. Cookies and similar technologies are governed by our separate cookie principles available at https://www.blloog.com/.

c) Location and telematics data. If you use the BLLOOG application as a driver, or if a vehicle is connected through a telematics integration, we process the real-time GPS position of the vehicle and the driver, route history (positions and timestamps), transport status events (e.g. loading, in transit, delivered) and related technical data. Location data is collected only while a transport is in progress and is not collected outside those periods. We use this data to provide live shipment tracking and estimated times of arrival, to coordinate dispatch, to document the performance of the transport and to protect the goods carried. Live position data is visible to the dispatchers of the carrier you drive for and to the parties to the specific transport (e.g. the shipper or freight forwarder) . Where you are not yourself a party to a contract with the Controller (typically a driver employed by our customer), the legal basis for this processing is the legitimate interest (Article 6(1)(f) GDPR) of the Controller, the carrier and the customer in the proper performance, documentation and security of transports; you have the right to object to this processing under Article 21 GDPR (see section 10 below).

d) Payment and billing data. Payments on the platform are processed by our payment processor Stripe. The Controller does not receive or store full payment-card numbers. We receive and process the payment method type and the last four digits of the card, payment tokens, the cardholder or billing name and address, bank account details for invoicing and payouts, transaction amounts, currency, status and time, and related invoicing and accounting data. Stripe processes payment data partly as our processor and partly as an independent controller for its own regulatory obligations (e.g. fraud prevention and financial-services regulation); see Stripe’s privacy policy at https://stripe.com/privacy.

e) Communication and chat data. The platform includes an in-app chat for communication between users (e.g. dispatchers, customers and drivers) in connection with transports. We process the content of messages and attachments, the identity of the sender and recipients, timestamps and delivery/read status. We further process communication made by e-mail, telephone, SMS or video call, and records or confirmations of oral communications, as well as feedback and satisfaction questionnaires relating to our services.

f) Push notification data. If you allow push notifications, we process the push token of your device, device and platform identifiers and notification delivery and interaction data in order to send you service notifications (e.g. transport status changes or new chat messages) and, with your consent, marketing notifications. You can disable push notifications at any time in the settings of your device or of the application.

g) Documents and content uploaded to the platform. Proof-of-delivery (POD) photographs, CMR consignment notes and other transport and shipping documents, handwritten or electronic signatures of persons confirming loading or delivery, and photographs of vehicles or cargo. These documents may contain personal data of third persons (for example the name and signature of the consignee’s employee). Users who upload documents to the platform are obliged to ensure that they are entitled to do so.

h) Data relating to contracts and liabilities. Data on contractual performance and the subject of performance, data on liabilities or the relationship to liabilities, tax and accounting data, and registration data and records kept under legal regulations.

i) Employee and HR data. In respect of the Controller’s own employees, job applicants and cooperating persons: data for payroll and remuneration processing and records in the area of tax, social-security and health-insurance obligations.

4. How do we obtain personal data?

The Controller usually obtains personal data in written form (paper or electronic) or orally, in person or by telephone, and in particular as follows:

Platform (website and applications). You most often provide your personal data by entering it via the electronic access points of the Controller’s platform (at https://www.blloog.com/ and the relevant sub-pages and applications), through user registrations, and by moving within the user space created. Location data is obtained directly from your device when location services are enabled in the driver application, or from telematics units connected to the platform. Driver accounts and related data may also be created or provided by the carrier or employer for whom the driver performs transports. The Controller further obtains personal data through provision by business partners who, under cooperation with the Controller, make personal data available to the Controller’s applications.

Personal data obtained online is protected by appropriate technical and organizational security measures, including encryption of data in transit (TLS). The Controller records personal data only at the moment it is received into the application. If the session ends without submission on your part, the personal data is not further processed by the Controller. You may edit or amend the personal data you have provided via the access points, or you may contact the Controller directly in accordance with your rights. When a user account is deleted, a backup of personal data that the Controller is legally obliged to retain may be created in accordance with special legal regulations.

Communication. The Controller further receives personal data through communication with you, your employers, organizations, or contractual partners; when preparing contracts or legal documents; in connection with performing contracts and contractual obligations; when fulfilling statutory obligations; and when dealing with state-administration bodies, law-enforcement authorities and courts. From consultations or communications made orally (in person or by telephone), the Controller may make and retain records in written form or other confirmation of the communication.

Publicly available data. The Controller also obtains personal data from publicly available databases and registers (e.g. the Commercial Register, the Trade Licensing Register and VAT registers), from public profiles and websites, and from data on browsing provided by your chosen browser and search engine.

5. For what purposes and on what legal bases do we process personal data?

The Controller processes the personal data obtained for the purpose of providing our services to you, contacting you, and developing business relationships or relationships arising from concluded contracts or the law. We process personal data for the following purposes:

a) To fulfil statutory obligations (Article 6(1)(c) GDPR), in particular: tax and accounting obligations; archiving and records management under special legal regulations; retention of data on services provided under special legal regulations; providing cooperation to public authorities; and identification of beneficial owners and compliance with anti-money-laundering rules and procedures.

b) Performance and negotiation of contracts (Article 6(1)(b) GDPR), in particular: registration and administration of user accounts; operation of the platform and brokering of contact between shippers, freight forwarders and carriers; performance of rights and obligations under contracts with customers or business partners; live tracking of shipments, calculation of estimated times of arrival and dispatch coordination; processing of payments and payouts through our payment processor; in-app communication relating to transports; the making, storage and provision of transport documents (POD photographs, CMR consignment notes, signatures); negotiating the provision of services; meeting the requirements of clients; and contracts and legal obligations with employees and business partners. Where the data subject is not a party to the relevant contract (typically a driver employed by our customer), the corresponding processing is based on legitimate interest under letter c) below.

c) Protection of the Controller’s and third parties’ legitimate interests (Article 6(1)(f) GDPR), in particular: the proper performance, documentation and security of transports arranged through the platform, including the processing of driver and vehicle location data as described in section 3(c); identification of persons; protection of the rights and protected interests of the Controller, its users and customers; prevention and detection of fraud and misuse of the platform; ensuring network and information security; recovery of receivables and fulfilment of obligations; analysis of user movements on the website or in the application for the purpose of improving the services we provide; satisfaction questionnaires; photo documentation of events held; and statistics and performance measurement. You may object to processing based on legitimate interest at any time (see section 10).

d) Consent (Article 6(1)(a) GDPR). Processing based on consent (e.g. cookies, sending newsletters, marketing push notifications, or the transfer of data to business partners for their marketing) is voluntary and may be withdrawn by you at any time by a communication addressed to the Controller. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. Profiling and recommendations — i.e. offering the products and services of the Controller and its business partners based on your behaviour and the preferences you have expressed in the user environment — are carried out only where you have given consent and do not involve automated individual decision-making producing legal effects within the meaning of Article 22 GDPR.

We provide certain services free of charge. In order for the platform to remain viable without the need for charging for those services, the Controller may — where you have given separate consent — provide certain personal data and data on your preferences to its business partners. Transfer of personal data to business partners for their marketing is based exclusively on your separate, freely given and informed consent, which is not a condition for using our services and which you may withdraw at any time. Where granted, such processing by business partners always concerns only the data necessary to send offers and communications (via the application and/or by e-mail and/or by telephone) and is always limited to the commercial focus of those entities (freight forwarding, transportation of goods, etc.). Within your user preferences, you may limit the collection of personal data to anonymized, aggregated data only (non-targeted advertising only).

Use of consumer reviews. On the Controller’s website and/or in search results via search engines and comparison sites, we provide access to ratings and reviews of our services that were made by our customers or persons using our services after purchasing and using them. We ensure and verify the authenticity of such reviews by linking each rating to specific paid orders and/or user accounts assigned to a specific customer, so that we are able to demonstrate that the review genuinely comes from a customer to whom the service was provided.

6. Who receives your personal data? (recipients and sub-processors)

The Controller provides personal data to third parties in particular under the following conditions: (i) the Controller entrusts part of its activities to a third party acting as a processor of personal data for the Controller, always under a data-processing agreement pursuant to Article 28 GDPR; (ii) provision of personal data on a legal basis, in particular to public authorities; and (iii) provision to persons who, under a contract concluded with the Controller, participate in the Controller’s activities or otherwise cooperate with it (business partners), including — where you have so consented — for the purpose of sending commercial communications by electronic means.

Participants in your transports. The nature of the platform means that data relating to a specific transport (including the live position of the vehicle, transport documents and chat messages relating to that transport) is shared with the other parties involved in that transport — typically the shipper, the freight forwarder, the carrier and the consignee. These parties process the data as independent controllers for their own purposes.

Key service providers (sub-processors). The Controller currently uses in particular the following providers as processors within the meaning of Article 28 GDPR:

In addition, personal data may be made accessible, to the necessary extent, to providers of IT, hosting and support services, accounting, tax and legal advisors, debt-collection agencies, and public authorities where required by law. This list of sub-processors is current as of 16 June 2026 ; an up-to-date list is available from the Controller on request. The current certification status of U.S. providers under the EU–U.S. Data Privacy Framework can be verified at https://www.dataprivacyframework.gov/list.

7. Transfers of personal data outside the EU/EEA

Personal data is processed as a rule within the territory of the European Union / European Economic Area. Some of the service providers listed in section 6 are established in, or transfer data to, the United States of America. Any such transfer takes place only on the basis of:

• an adequacy decision of the European Commission pursuant to Article 45 GDPR — in particular the adequacy decision for the EU–U.S. Data Privacy Framework (“DPF”), where the recipient holds a current DPF certification; or
• appropriate safeguards pursuant to Article 46 GDPR, in particular the Standard Contractual Clauses adopted by the European Commission (Article 46(2)(c) GDPR), supplemented where necessary by additional technical and organizational measures (such as encryption of data in transit and at rest).

In exceptional cases, a transfer may take place on the basis of a derogation under Article 49 GDPR. You may obtain a copy of the safeguards used, or information on where they have been made available, by contacting the Controller or the DPO at the contact details set out in section 1.

8. How long do we retain personal data?

We process and retain personal data only for the strictly necessary period. Data subject to mandatory recording is processed and kept for the period laid down by legal regulations (no longer than 10 years in the area of certain taxes and obligations arising from AML regulations, or in cases of keeping prescribed documentation required by law). To secure other rights and obligations from contractual relationships and to fulfil statutory obligations, data is retained for at least 5 years from the moment of obtaining it. In the case of our legitimate interests, we retain personal data for the period necessary to exercise them, but no longer than 2 years from obtaining them, unless in a particular case a justified need arises to retain the data longer. In particular:

• Location and telematics data: retained for 12 months from the end of the relevant transport, after which it is deleted or irreversibly anonymized, unless it is needed for the establishment, exercise or defence of legal claims relating to that transport;
• In-app chat messages: retained for the duration of the user account and for 12 months thereafter, unless needed for the establishment, exercise or defence of legal claims;
• Transport documents (POD photographs, CMR consignment notes, signatures): retained for the duration of the limitation periods for claims arising from the transport (under the CMR Convention generally 1 year, or 3 years in the case of wilful misconduct) and, where they form part of tax or accounting documents, for up to 10 years in accordance with tax legislation;
• Payment, invoicing and accounting data: for the periods required by tax and accounting legislation (up to 10 years);
• Push tokens: until you disable notifications, log out or uninstall the application;
• Data for sending satisfaction questionnaires: no longer than 1 month.

9. How can you delete your account and your data?

You can request the deletion of your user account and the associated personal data at any time:

• directly in the application: Settings → Delete account , and confirming the deletion; or
• by e-mail: by sending a request to contact@blloog.com (or to the DPO) from the e-mail address registered to your account. If the request is sent from a different address, we may ask you to verify your identity before acting on it.

We will act on your request without undue delay and at the latest within one month of receipt; in complex cases this period may be extended by a further two months, of which we would inform you. Upon deletion, your account is deactivated and your personal data is erased or irreversibly anonymized, with the following exceptions, which we retain to the necessary extent and for the necessary period:

• invoicing, payment, tax and accounting records that we are legally obliged to retain (up to 10 years);
• transport documents and records needed for the establishment, exercise or defence of legal claims, for the duration of the applicable limitation periods;
• records required under anti-money-laundering regulations; and
• a minimal record of your deletion request and of any objection or withdrawal of consent, so that we can demonstrate compliance.

Data is removed from active systems immediately upon deletion; residual copies in encrypted backups are overwritten within 90 days as part of the regular backup rotation cycle. Please note that uninstalling the application does not by itself delete your account. If your driver account is created and managed by your employer or the carrier you drive for, we may coordinate the handling of your request with that company; you may nevertheless always contact the Controller directly.

10. What rights do you have as a data subject?

• Right of access to personal data. You have the right to know (i) whether the Controller processes your personal data, (ii) what personal data it processes, (iii) for what purpose and for how long it is processed, and (iv) whether and to which persons it has been or will be disclosed.
• Right to rectification of inaccuracies or incompleteness. Where the Controller processes your data incompletely or inaccurately, you have the right to request its rectification, refinement, or completion.
• Right to erasure of personal data. If you ask us to erase your personal data and at the same time the data (i) is no longer needed for the specified purposes, (ii) the processing is unlawful, (iii) your reasons for erasure outweigh those for retention, (iv) a legal obligation for processing has ceased, or (v) consent has been withdrawn, the Controller will erase your personal data, unless an exception under the GDPR applies. The practical procedure for deleting your account is described in section 9.
• Right to restriction of processing. Under the conditions laid down in the GDPR, you have the right to request a restriction of the scope or purpose of processing of your personal data. During the restriction, the personal data is not actively processed to the extent of the restriction.
• Right to data portability. You have the right to call upon the Controller to transfer, provide, or otherwise pass your personal data to another data controller to the extent laid down by legal regulations. The Controller is not obliged to transfer data where doing so would adversely affect the rights of others.
• Right to object to processing. You may object to processing carried out on the basis of the Controller’s or a third party’s legitimate interest — including the processing of driver location data described in section 3(c). In such a case, an assessment will be made of whether your rights and freedoms outweigh the legitimate interests pursued. If your objection is well-founded, the Controller will cease further processing. You may object at any time and free of charge to processing for direct-marketing purposes.
• Right to withdraw consent. Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Right to lodge a complaint with the supervisory authority. You have the right to lodge a complaint with the Office for Personal Data Protection (see contact details below), without prejudice to any other administrative or judicial remedy.

The data-subject rights set out above are specified in detail in Articles 15 to 22 of the GDPR. In the case of repeated or manifestly unfounded requests to exercise the above rights, we may charge a reasonable fee for exercising the right concerned, or refuse to act on it. We would inform you of such a procedure.

If you have doubts or believe that your personal-data protection rights are being infringed, you may contact us at any time with a query or complaint, or, in cases of serious failure on our part, the Office for Personal Data Protection (the “Office”). The contact details of the Office are as follows, and are also available at https://uoou.gov.cz/kontakt:

Office for Personal Data Protection (Úřad pro ochranu osobních údajů)

Registered office: Pplk. Sochora 27, 170 00 Prague 7

Tel.: +420 234 665 111

E-mail: posta@uoou.cz

Data box ID: qkbaa2n

Web: www.uoou.gov.cz

11. Other information

The Controller does not carry out automated individual decision-making producing legal effects or similarly significantly affecting you within the meaning of Article 22 GDPR. Any profiling/recommendation is carried out only on the basis of your consent, as described above.

The Controller has carried out a data protection impact assessment pursuant to Article 35 GDPR for the processing of location and telematics data and reviews it regularly.

These principles are valid and effective from 16 June 2026 and will be updated regularly. Material changes will be notified within the platform.