Effective Date: August 05, 2025.

This document establishes the rules for the storage and protection of personal data that Polina Haribian "Pannl Inc" (hereinafter referred to as "Company", "we") processes when providing services on the website https://pannlinc.com/ (hereinafter referred to as the "Site"). The Policy has been developed in accordance with the requirements of the EU General Data Protection Regulation (GDPR), Spanish law and the recommendations of the European Commission. It describes technical and organizational measures, retention periods, destruction procedures and actions in the event of a data security breach.

1. basic principles of data warehousing

1. Legality, purpose limitation, and data minimization. We only collect and store personal data that is necessary for specific and legitimate purposes (registration, user communication, sending notifications and security).
2. Limitation of shelf life. Data is stored for no longer than is required for processing purposes. The retention period depends on account activity: account data is deleted upon user request or account deletion; security logs (IP addresses, logs) are retained for up to 12 months; feedback form requests are retained for up to 24 months. We do not create separate retention schedules for each category, as data is deleted when no longer needed.
3. Accuracy and Relevance. The user can update their data in their personal account; if errors are detected, the data is corrected.
4. Integrity and Confidentiality. We apply technical and organizational measures to protect data against unauthorized access, loss, destruction or alteration.
5. Accountability and Documentation. According to EU recommendations, organizations should keep detailed records: contact details, grounds for processing, description of subject categories, recipients, cross-border transfers, retention periods and security measures used europa.eu. The Company reviews and updates this documentation on a regular basis.

2. Place of storage and responsibility

• Data Storage. Personal data is stored on servers located in the European Union. We use a hosting provider with certified security standards and backups.
• Lack of cross-border transfer. Personal data is not transferred outside the European Economic Area. If such a transfer is necessary, we will use the mechanisms provided for in the GDPR (standard contractual clauses, adequacy decisions).
• Data Controller. Full control over data collection and storage is exercised by the Company. Currently, no Data Protection Officer (DPO) has been appointed; the responsibility for data protection rests with the Company's management.
• Employees and Access. Access to personal data is restricted to those employees and contractors who need it to perform their job duties. Employees sign confidentiality agreements and receive data protection training. Strict access control policies and regular auditing of access rights are in place.

3. technical protection measures

1. Encryption and connection security. Data transfer between the user and the Site is performed through the secure HTTPS/TLS protocol, which provides encryption of information in transit.
2. Password hashing. User passwords are stored in encrypted (hashed and soloed) form, preventing the possibility of recovering the original password.
3. Server Defense. Servers are located in secure data centers, use state-of-the-art intrusion detection systems, firewalls, antivirus software and regular updates. Access to server management is through secure channels and multi-factor authentication.
4. Backup and Restore. Data is regularly backed up and stored in encrypted form. A recovery plan is in place to ensure continuity of services.
5. Pseudonymization and minimization. We try to use anonymized or pseudonymized data whenever possible (e.g., for analytics). This way, even in the event of a leak, the risk to data subjects is minimized.
6. Malware Protection. We regularly scan servers for vulnerabilities and malware, update software and apply security patches.

4. organizational measures

1. Policies and Guidelines. We have developed internal policies and guidelines on the processing, storage and protection of personal data, which are available to employees and regularly updated. European guidelines emphasize the need for such written procedures europa.eu.
2. Access delimitation. The principle of minimum necessary access is used: each employee has access only to the data needed to perform his/her tasks.
3. Staff Training. Employees receive training on GDPR, data security and incident management.
4. Clean Desktop Policy. Documents with personal data are stored in secure systems and storage on unprotected media is excluded.
5. Confidentiality Agreements. Contractors and employees sign non-disclosure agreements that remain in effect even after the collaboration is complete.
6. Auditing and monitoring. Regular internal audits of security policy compliance are conducted, including access rights, action logs and server security.

5. Principles of "data protection by design and by default"

GDPR requires organizations to lay down data protection mechanisms at the design stage and use default privacy settingseuropa.eu. We implement these principles as follows:

• Privacy by design. When developing new features and services, we analyze privacy risks, implement data minimization, encryption, pseudonymization and other protection methods;
• Privacy by default. The default settings of our services limit the visibility and distribution of personal data as much as possible;
• Impact Assessment (DPIA). When introducing new ways of processing data (e.g. integrating a third-party service), a data protection impact assessment is carried out.

6. Data destruction procedure

• Deletion at the user's request. Users can delete their account in their personal account or request deletion by sending an email to info@pannlinc.com. All personal data associated with the account will be deleted or anonymized within 30 days.
• Automatic deletion. If a user does not use the account for more than 24 months or withdraws consent to data processing, we delete personal data except for those required to be retained by law (e.g. accounting documents or security logs).
• Deleting backups. Data stored in backups is automatically overwritten when the backup cycle expires (usually within 90 days).
• Physical destruction. If physical media is used, data is destroyed by methods that preclude recovery.

7. Actions in case of a Data Breach

1. Incident Identification. We monitor security events using intrusion detection systems and logs. If suspicious activity is detected, responsible parties are immediately notified.
2. Risk Assessment. The degree of risk to the rights and freedoms of data subjects is determined.
3. Notification of authorities and data subjects. In the event of a serious breach that may result in a risk to the rights and freedoms of users, the Company undertakes to notify the data protection authority (Agencia Española de Protección de Datos) within 72 hours and to inform the affected users.
4. Documentation. All incidents are recorded with the circumstances, consequences and actions taken, in line with the principle of accountability.
5. Repetition Prevention. Once the incident is resolved, the causes are analyzed, additional security measures are implemented, and procedures are updated as necessary.

8. Monitoring and updating the policy

• Regular inspections. This policy is periodically reviewed to ensure compliance with current legislation and changes in business processes.
• Employee Update. All changes are communicated to employees and published on the internal portal.
• Publicity. An abbreviated version of the rules may be published on the website to inform users about data protection measures.

9. Contact information

For questions regarding data storage and data protection, you can contact:

• Email: info@pannlinc.com
• Mailing address: Carrer Carreters 49, 03130 Santa Pola (Alicante), Spain
• Supervisory Authority: Agencia Española de Protección de Datos (AEPD) - Calle de Jorge Juan 6, 28001 Madrid, Spain.

This policy is part of the Pannl Inc. data protection management system. Violation of the rules may result in disciplinary action and legal liability.