IN THIS SECTION OF THE PRIVACY POLICY, WE INFORM YOU ABOUT HOW THE COMPANY, ACTING AS THE DATA CONTROLLER, PROCESSES YOUR PERSONAL DATA.

Below, we provide information on how we specifically process personal data as a data controller.

1. Personal Data Processing for Purposes Related to the Provision of the Company's Services:

We process your personal data for the following purposes related to the provision of the Company's services:

• investor assessment;
• conclusion and performance of the investment agreement, and submission and execution of requests to redeem investment units;
• accounting of financial instruments;
• mandatory investor notification by sending notices;
• issuing consent to transfer units of a collective investment undertaking on the secondary market;
• investment, sale, analysis and assessment of potential investments of the collective investment undertaking's assets;
• realisation or lease of real estate managed by the fund;
• management of real estate managed by the fund.

To view detailed information about which personal data are processed for the above purposes, the legal basis for processing, retention periods, recipients, and other information you are entitled to receive, please click here.

2. Personal Data Processing Related to Anti-Money Laundering and Know Your Customer (KYC) Compliance

The Company carries out personal data processing related to anti-money laundering and KYC not only when it itself implements AML/CTF prevention requirements, but also when it must provide personal data to commercial banks:

• implementation of the Know Your Customer principle and prevention of money laundering and terrorist financing;
• compliance with commercial banks' requirements related to the prevention of money laundering and terrorist financing.

To view detailed information about which personal data are processed for the above purposes, the legal basis for processing, retention periods, recipients, and other information you are entitled to receive, please click here.

3. Personal Data Processing in the Administration of the Company's Activities

The Company also processes personal data in the course of administering its operations and complying with various legal requirements. Such processing relates not only to our clients but also to persons associated with them, spouses, webinar participants, and others.

• prevention of insider and non-public information disclosure;
• registration and investigation of reports of violations;
• internal investigations (ensuring internal control);
• conduct of internal audits;
• organisation of online seminars (webinars) — registration for seminars, management of the registration process including sending access links, sending webinar reminders, and evaluating the relevance and usefulness of webinar content;
• communication with state authorities in compliance with legal requirements;
• bookkeeping and accounting;
• archiving (storage of paper and electronic documents);
• defence of rights and legitimate interests;
• prevention and management of conflicts of interest.

To view detailed information about which personal data are processed for the above purposes, the legal basis for processing, retention periods, recipients, and other information you are entitled to receive, please, click here.

4. Processing of personal data related to the conclusion and execution of contracts with service providers/partners, etc.

In the course of its activities, the Company engages various service providers and maintains relationships with partners by entering into contracts. When concluding and performing contracts, the Company processes personal data of both natural persons acting as service providers / partners, and representatives of legal entities. Please see here for information on how we process personal data.

5. Direct marketing

We send messages about our services, news, and other relevant information related to the Company's provided services to individuals who have expressed their consent (Article 6(1)(a) GDPR, Article 81(1) of the Law on Electronic Communications). Your data for direct marketing purposes will be processed for 5 years, but no longer than until you revoke your consent.

On the basis of our legitimate interest (Article 6(1)(f) of the GDPR, Article 81(2) of the Republic of Lithuania Law on Electronic Communications), we will send special offers regarding the provision of the Company's services by electronic means (e-mail) to our customers who have provided their contact details and who have not objected at the time of their provision to our intention to process them for the purposes of direct marketing. Your data for direct marketing purposes will be processed for 5 years, but no longer than until the end of business relations with you, or until you express objection to receiving the specified offers.

For direct marketing purposes, the Company will process the following personal data: email address, telephone number (mandatory data, without which we cannot send you direct marketing messages), first name, last name.

You have the right to object or withdraw your consent to receive direct marketing messages at any time by contacting us via email: dpo@nteram.lt.

IMPORTANT! Some messages are sent as part of executing investment contracts concluded with you; such messages are not considered direct marketing, and your contact details are processed as specified in point 1 of this Privacy Policy.

6. Processing of candidate data for Company employees

We actively search for potential employees and pursue candidates both passively and proactively. The type and manner of processing of your personal data as a potential or actual candidate depends on the position you are applying for, and on whether you submit your personal data to us directly or whether we collect data about you from public sources in the course of active recruitment. More detailed information is available here.

7. Protection of company assets (video surveillance)

The Company carries out video surveillance at certain properties belonging to the investment funds it manages, for the purpose of securing those properties, on the basis of legitimate interest (Article 6(1)(f) GDPR). In conducting video surveillance, the Company processes video data which may include: image, movement trajectory, and items in the person's possession. The retention period for video data may vary depending on the property (the retention period is indicated in the video surveillance notice at the relevant location).

Please note that, by decision of the Company's director, video data may be retained for a longer period than indicated above if there are grounds to believe that the data may be needed in connection with the investigation of a criminal act, incident, or other damage-causing event that occurred at the property. In such case, video data will be retained until a final decision is made by law enforcement authorities or a court, or until a conclusion is reached by other persons investigating the incident or the damage-causing event. In such cases, video data may be disclosed to lawyers, courts, and law enforcement authorities. Recipients of video data may also include our engaged data processors acting on our behalf and in accordance with our instructions.

8. Protecting confidential information of the company and business continuity

In pursuit of its legitimate interest in protecting confidential information and ensuring business continuity, the Company may review its employees' correspondence with counterparties. For this purpose, the Company processes the following personal data of its employees and persons who send or receive employees' emails: email address, sender's or recipient's first and surname, date, and the content of information in electronic work tools.

Data collected for the purpose of protecting confidential information and defending legal claims are retained for 3 years, in accordance with Article 1.125(9) of the Civil Code of the Republic of Lithuania. For the purpose of defending legal claims, data may be disclosed to recipients (data controllers) such as courts, state institutions resolving disputes, parties to a dispute, lawyers, and other legal service providers.

9. What purposes do we process personal data of website visitors for?

9.1 What do we collect about you when you contact us with an enquiry?

You may contact us via the contact form on our website or through our Facebook and LinkedIn social media accounts. All messages are received, reviewed, and responded to by us directly. If you contact us, we may process the data you provide, including: email address, name, subject of enquiry, message content, username (if the enquiry is sent via a social media account), date and time of sent and received messages, recipient and sender details (where the message is addressed to you), and the content of correspondence with you.

Such data will be processed for the purpose of responding to your enquiries. If you do not provide your contact details, it will not be possible for us to contact you.

Correspondence is retained for 3 years, except where other retention periods are prescribed by law.

All personal data you provide in communicating with us is used solely for the purposes described above and for reviewing messages and managing communication flows. We undertake not to use your personal data in a manner that would allow your identity to be established without your explicit consent.

Please note that we may need to contact you using the details you have provided. Please notify us of any changes to your personal data if such changes occur.

9.2 Social media

Information you provide to us through social media (including messages, use of "Like" and "Follow" buttons, and other interactions) is controlled by the social network operator.

Our website contains links to our social media accounts (hereinafter "Social Accounts"). We currently administer the following Social Accounts:

• Nter's Facebook account;
• Nter's LinkedIn account.

Information on Social Accounts is processed for account administration purposes on the basis of your consent expressed through conclusive actions. Information on Social Accounts is retained for 10 years from the end of use of the social network.

When you visit our Social Accounts, the social network operators place cookies on your device that collect personal data. Cookies are placed regardless of whether you are a registered user of the social network or not. We do not have access to the personal data collected and may only receive aggregated statistical information from social network operators about the usage of the Social Accounts. We recommend reading the privacy notices of third parties and contacting service providers directly if you have any questions about how they use your personal data.

9.3 What do we collect about you through the use of cookies?

A cookie is a small file consisting of letters and numbers that is stored in the browser of your device (computer, mobile phone, or tablet). Cookies allow websites to store data such as: login data (IP address of the connecting device, time of connection, city of connection); browser type; and data about how you browse websites (which pages you visit, which services you are interested in, etc.).

Cookies help us recognize you as a returning visitor to the Website, save your browsing history and customize content accordingly, speed up searches on the Website, create a convenient and user-friendly website environment, and present it more efficiently and reliably. Cookies also help ensure smooth operation of the Website and allow us to monitor visit duration and frequency, and to gather statistical information about the number of Website visitors.

Using the information collected by cookies about your activity on the Website, we may collaborate with analytics service providers who will help us evaluate and provide us and/or third parties with information about the use of such advertisements on third-party websites and about views of advertisements and our content.

9.3.1 What information do we collect using cookies, how long do we retain it, and which specific cookies do we use?

Each time you visit our website, both persistent cookies — which remain on your device after you log out and will be used when you return to the Website — and/or session cookies — which expire and are deleted when you finish browsing the Website — may be created.

All cookies we use require your prior consent, except for strictly necessary cookies. You may express your consent by clicking the "Allow all" button in the cookie banner at the bottom of the website page. Before consenting, you may select which types of cookies you wish to accept by clicking "Allow selection."

The types of cookies used on the Website are listed below. Specific cookies used on the Website, their functions, descriptions, and validity periods can be found in the cookie banner at the bottom of the website page.

Types of cookies

The following types of cookies may be used on our website:

Strictly Necessary Cookies

These cookies are essential for you to navigate the Website and use its features, such as remembering information entered in forms during a session and accessing secured areas of our website. Without these cookies, certain services on the Website would not be possible, or the Website would not function as smoothly as intended. For this reason, it is not possible to refuse strictly necessary cookies. The legal basis for using such cookies is Article 73(4) of the Law on Electronic Communications of the Republic of Lithuania.

Functional Cookies

These cookies allow website visitors to avoid changing settings every time they visit. They help remember your choices and preferences (e.g., language). Functional cookies also remember changes you have made and other actions, such as when you leave a comment on the Website (where such functionality is available). The legal basis for using such cookies is your consent.

Statistical Cookies

These cookies show us whether you have visited the Website before. They help us track the number of visitors and frequency of visits. They collect information about how the Website is used and help improve its performance. For example, statistical cookies may show which pages are visited most frequently and help log any issues occurring on the Website. The legal basis for using such cookies is your consent.

Marketing Cookies

These cookies allow us to record your visit to our Website, the pages you visited beforehand, and the links you followed. We use this information to show you advertisements relevant to your interests. Marketing cookies allow us to know whether you have already seen an advertisement and how long ago you saw it. We may use cookies set by third parties to provide you with more personalised advertising. The legal basis for using such cookies is your consent.

9.3.2 How to delete cookies?

You may manage and/or opt out of cookies using the cookie banner at the bottom of the Website page. You may withdraw your consent to non-essential cookies at any time in that banner or by changing your selections. You may also change your browser settings on your computer, tablet, or smartphone at any time to prevent cookies from being accepted or to delete cookies that have already been stored. Detailed instructions depend on the browser and device you are using; more information can be found here:

• Microsoft Edge — Manage cookies in Microsoft Edge: View, allow, block, delete and use
• Mozilla Firefox — Clear cookies and site data in Firefox
• Google Chrome — Delete, allow, and manage cookies in Chrome
• Opera — Web preferences - Opera Help
• Safari (iPhone / iPad) — Delete your Safari history, cache, and cookies on iPhone - Apple Support
• Chrome on Android — Delete, allow, and manage cookies in Chrome - Android

IMPORTANT! Please note that rejecting certain cookies may have a negative impact on your use of the Website, for example by slowing down internet browsing, limiting the functionality of certain Website features, or blocking access to the Website.

10. Transfer of data to third countries

When using our social media accounts (Facebook, LinkedIn), your personal data within the European Union is primarily processed by Meta Platforms Ireland Limited and LinkedIn Ireland Unlimited Company, both established in Ireland (EU). Your data may also be transferred to the respective group companies in the United States (e.g., Meta Platforms, Inc., LinkedIn Corporation). Such transfers are carried out on the basis of the European Commission's adequacy decision of 10 July 2023 under the EU–U.S. Data Privacy Framework, to the extent that the relevant US companies are certified under that framework.

Personal data of EU residents published on Facebook is processed by the data controller Meta Platforms Ireland Limited (Merrion Road, Dublin 4, D04 X2K5, Ireland). Information on how you may exercise your rights as a data subject is available at: https://lt-lt.facebook.com/privacy/explanation. If you have complaints regarding the actions of Meta Platforms Ireland Limited in processing your personal data or implementing (or failing to implement) your rights as a data subject, you have the right to lodge a complaint with Meta Platforms Ireland Limited's lead supervisory authority — the Irish Data Protection Commission — or with the State Data Protection Inspectorate.

Personal data of EU residents published on LinkedIn is processed by the data controller LinkedIn Ireland Unlimited Company (Wilton Place, Dublin 2, Ireland). Information on how you may exercise your rights as a data subject is available at: https://www.linkedin.com/legal/privacy-policy. If you have complaints regarding the actions of LinkedIn Ireland Unlimited Company in processing your personal data or implementing (or failing to implement) your rights as a data subject, you have the right to lodge a complaint with LinkedIn Ireland Unlimited Company's lead supervisory authority — the Irish Data Protection Commission — or with the State Data Protection Inspectorate.

We also use Microsoft products and services and have concluded a Data Processing Agreement with Microsoft Ireland Operations Limited, established in Ireland. However, in the course of providing services, this data processor may transfer data to third countries. In such cases, your personal data will be protected by Standard Contractual Clauses (processor-to-sub-processor module) agreed between Microsoft Ireland Operations Limited and Microsoft Corporation. These clauses are intended for transfers of personal data from data processors in the European Economic Area to data processors established in third countries that do not ensure an adequate level of personal data protection, as described in Article 46 GDPR and confirmed by European Commission Decision 2021/914/EU of 4 June 2021. We also note that, as stated above, the United States — to the extent that data is transferred to organisations certified under the EU–U.S. Data Privacy Framework, which includes Microsoft Corporation — has been recognised by the European Commission as ensuring an adequate level of protection.

11. Data receipt and disclosure

We receive your data from you, your devices, and public sources (websites, the Register of Legal Entities, the Register of Residents, etc.).

We may disclose information about you to our engaged data processors (cloud and IT service providers, marketing service providers, etc.).

In addition, we may disclose information about you:

• where we are required to do so by law;
• when intending to sell part of our business or assets, by disclosing your personal data to a prospective buyer of the business or part thereof;
• upon the sale of our business or a substantial part of our assets to third parties.

Except as provided in this Privacy Policy, we do not disclose your personal data to any third parties.

More detailed information is available here.

12. What are your rights and how can you exercise them?

This section provides information about your rights in relation to our processing of your personal data, and the circumstances in which you may exercise those rights. If you wish to obtain more information about your rights or to exercise them, please contact us at the email address indicated in this Privacy Policy.

We facilitate the exercise of your rights and generally provide information free of charge. We will, without undue delay and no later than 1 (one) month from receipt of your request, provide you with information about the actions taken in response to your request regarding the exercise of your rights. Depending on the complexity of the request and the number of requests received, this period may be extended by a further 2 (two) months. In such a case, we will inform you of the extension and its reasons within 1 (one) month of receiving your request. We will only refuse to implement your rights in cases provided for by law.

12.1 Right of access to your personal data

We aim to ensure that you fully understand how we process your personal data and that you do not experience any inconvenience as a result. Information about how we process your personal data is provided primarily in this Privacy Policy (right to be informed). Nevertheless, you may contact us at any time to ask whether we are processing any of your personal data. If we store or use your personal data in any way, you have the right to access it. To do so, please submit a written request to us at the email address indicated in this Privacy Policy and confirm your identity (where such confirmation is required in the specific case).

12.2 Right to withdraw consent

If you have given us explicit consent to process your data, you may withdraw it at any time. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent prior to its withdrawal.

For information on how to withdraw your consent to the use of cookies, how to refuse cookies, or how to delete them, please refer to the "Cookies" section of this Privacy Policy.

12.3 Other rights

Below we provide information about your other rights, which you may exercise in accordance with the procedure described.

a. You have the right to request that we correct any inaccuracies in the data we hold. In such cases, we may ask you to confirm the corrected information.

b. You have the right to request that we erase your personal data. This right may be exercised in the cases provided for in Article 17 of the General Data Protection Regulation (EU) 2016/679.

c. You have the right to request that we restrict the processing of your personal data or cease processing it:

• for the period necessary to verify the accuracy of your personal data, where you raise a query regarding its accuracy;
• where our collection, storage, or use of your personal data is unlawful, but you decide not to request erasure;
• where your personal data is no longer needed by us, but you require it in order to establish, exercise, or defend a legal claim;
• for the period necessary to determine whether we have overriding legitimate grounds to continue processing your personal data, where you have exercised your right to object to processing.

d. You have the right to data portability in respect of data that is processed by automated means and which you have provided to us in a structured, commonly used, and machine-readable format, on the basis of your consent or for the purposes of concluding a contract. Upon exercise of this right, we will, at your request, transfer a copy of the data you have provided to you or to a data controller of your choice.

e. You have the right to object, in the manner set out in Article 21 GDPR, to our use of your personal data, for example where we process your personal data on the basis of our legitimate interest.

f. You have the right to object to the processing of your personal data for direct marketing purposes. Where we process your personal data for direct marketing purposes, you have the right to object at any time to the use of your personal data, including profiling related to such marketing. In such cases, we will cease processing your personal data for those purposes.

12.4 Right to request further information

We strive to provide the clearest and most comprehensive information about personal data processing and undertake to update this Privacy Policy whenever the personal data usage process changes. Nevertheless, if you have any questions about the use of your personal data, we will be pleased to answer them or to provide any additional information we are able to disclose. If you have any specific questions or have not understood the information provided, please contact us.

13. Complaints

If you believe that your rights as a data subject are or may be infringed, please contact us without delay at the email address indicated in this Privacy Policy. We undertake that, upon receipt of your complaint, we will contact you within a reasonable period and keep you informed of the progress of the investigation and its outcome.

If you are dissatisfied with the results of the investigation, you may lodge a complaint with the supervisory authority – the State Data Protection Inspectorate. https://vdai.lrv.lt/.