INDEX

• Objective of the Privacy Policy
• Definition of personal data
• Identity of the Data Controller
• Applicable laws and regulations
• Principles applicable to the processing of personal data
• Security measures
• Purposes of processing
• Lawfulness of processing
• Recipients of your data
• Data processing activities carried out
• Personal data of minors
• Origin and types of data processed
• Rights of data subjects
• Modification

1. OBJECTIVE OF THE POLICY At Spain Startup and Investor Services S.L (hereinafter, Spain Startup), we respect your privacy and protect your personal data. This policy details how we collect, use, and share your information in accordance with applicable data protection regulations, including the General Data Protection Regulation (GDPR). This privacy policy applies to the website http://www.southsummit.io. If you do not provide us with your personal data, no processing of your information will be carried out. We will inform you about the purposes of processing, the entities that may access your data, and your rights as the data subject. Some processing may be based on legal obligations, contracts, or legitimate interests, without requiring your express consent. If the website uses cookies, we will clearly notify you in our Cookie Policy, where you can find more information about the use of cookies and how to manage your preferences. This policy ensures transparency and is designed for you to clearly understand and exercise your rights. 2. DEFINITION OF PERSONAL DATA Personal data: Personal data means any information relating to an identified or identifiable natural person ("website user"). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 3. IDENTITY OF THE DATA CONTROLLER Who collects and processes your data? The Data Controller is: Spain Startup and Investor Services S.L CIF B86685294 How can you contact us?

• Postal address and our offices: Paseo de la Castellana Nº 70, first floor. 28046, Madrid (Madrid), Spain
• Registered office: Paseo de la Castellana Nº 70, first floor. 28046, Madrid (Madrid), Spain
• Email: privacy@southsummit.io - Phone: +34 915625784

Who can help you with our Data Protection Policy? At Spain Startup, we have a Data Protection Officer (DPO), whose function is to ensure compliance with current data protection regulations within our entity. If you have any questions or need assistance regarding the processing of your personal data, you can contact our DPO through the following means:

• Auratech Legal - NIF B87984621
• Email: privacy@spain-startup.com
• Phone: 911134963

4. APPLICABLE LAWS AND REGULATIONS This Privacy and Data Protection Policy is developed based on the following data protection regulations and laws:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Hereinafter GDPR.
• Organic Law 3/2018, of December 5, on Personal Data Protection and Guarantee of Digital Rights. Hereinafter LOPD/GDD.
• Law 34/2002, of July 11, on Information Society Services and Electronic Commerce. Hereinafter LSSICE.

5. PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA At Spain Startup, we process personal data in accordance with the principles established in current regulations, ensuring that the processing is:

• Lawful, fair, and transparent: We provide clear and accessible information on how data is collected and used.
• Limited to specific purposes: Data is collected for legitimate purposes and not used for other purposes.
• Data minimization: We only request strictly necessary data.
• Accuracy: We keep data updated and correct inaccurate data.
• Storage limitation: Data is retained only for the time necessary for the stated purposes.
• Integrity and confidentiality: We apply appropriate security measures to protect data.
• Proactive accountability: We assume responsibility for complying with and demonstrating compliance with these principles.

6. SECURITY MEASURES What do we do to guarantee the privacy of your data? At Spain Startup, we have implemented the necessary technical and organizational measures to ensure the security of the personal data we process. These measures are designed to prevent alteration, loss, unauthorized access, or improper processing of data, adapting to the state of technology and potential risks. Among the measures, we highlight:

• Confidentiality: Only authorized persons can access the information.
• Integrity: Information is kept accurate and protected against unauthorized modifications.
• Availability: We ensure that data is accessible to authorized persons at all times.
• Continuous evaluation: We regularly review and improve our security measures to adapt to new threats and technological advances.
• Pseudonymization and encryption: We apply these techniques to strengthen data protection, especially sensitive data.

7. PURPOSES OF PROCESSING Why do we want to process your data? Below we detail the intended uses and purposes: Management of Travel and Accommodation Bookings - South Summit Coordinate with partners and suppliers to manage bookings and discounts to facilitate event attendance Provide exclusive travel, accommodation, and transport information and offers to event attendees Promote exclusive agreements with partners related to travel and accommodation services Carry out personalized follow-up of requests received through the web landing page. Startup Competition Evaluation Committee Coordinate online discussion sessions to select finalist projects Send emails with links to register on the platform and the session schedule Evaluate pre-selected projects using the evaluation platform Manage committee members' access to the platform and startup data Invite corporations, investment funds, and institutions to participate in the evaluation committee Cookies, pixel, and tracking Share information on social networks. "Fav", "Like", "+1" and similar buttons Obtain statistical data on user navigation, identify problems, and analyze their preferences Third-party video and map transmission. A function or plugin provided by a third party establishes a direct connection between the user's browser and the third party's internet domains, allowing the function to be downloaded and executed Co-organization of the South Summit Madrid event Communication and marketing: Send event-related information, updates, news, and promotional materials. This includes sending emails and other messages to keep attendees informed about event details and any important changes or news Event access control: Manage access for participants, volunteers, and speakers. This ensures that only authorized individuals can enter certain areas of the event Compliance with GDPR obligations: Address requests for exercising rights according to the GDPR and notify security breaches. This involves managing participant requests related to their personal data and notifying competent authorities of any security breaches Surveys and feedback: Collect opinions and suggestions from participants to improve future events. After the event, surveys will be sent to gather attendees' opinions on what they liked and what could be improved Participant management: Allow participation in South Summit activities and sections. This includes coordinating activities in which participants can get involved and ensuring everyone has the necessary information to participate actively Registered user management: Facilitate e-commerce and business opportunities for partners. This includes allowing startups and other companies to interact and do business during the event and through the event platform Event organization and management: Coordinate and execute all activities related to event planning and execution. This includes ensuring all parts of the event run smoothly, such as activity scheduling, speaker coordination, and general logistics Registration and access control: Manage registrations, accreditations, and event tickets. This means registering all individuals who will attend the event, ensuring they have the correct credentials, and controlling who enters and exits the event venue Streaming and session recording: Live stream and record event presentations and activities. This allows people who cannot attend in person to watch presentations and activities online and for recordings to be available for later viewing Use of images: Record and stream event presentations, and display images on the web and social networks. This involves taking photos and videos of the event and sharing them online for promotion and event coverage Facility video surveillance: Ensure the security of people, property, and facilities through video surveillance. This means security cameras will be used to monitor the event venue and ensure the protection of everyone present Compliance with GDPR obligations Process your data for the purpose of addressing requests in the exercise of the rights established by the General Data Protection Regulation (Art. 5 GDPR) and, where appropriate, for the notification of personal data breaches to the supervisory authority and data subjects (Articles 33 and 34 GDPR) Address citizen requests in the exercise of the rights established by the General Data Protection Regulation and information privacy Event Access Management - South Summit Control space capacity in real-time to ensure safety and compliance with local regulations Manage attendee lists to facilitate registration and resolve potential incidents during access Collect attendance data for analysis and improvement of future event editions Verify and validate attendee access to the event using QR codes or other registration systems Management of Collaborators in Events and Content Production Coordination of tasks and responsibilities in event production Management of speaker relationships and content scheduling Supervision of the development and achievement of production objectives Communications and Newsletters Management – South Summit Send newsletters with news from the South Summit ecosystem (events, speakers, startups, opportunities) Manage subscriber preferences and revocations (opt-out / unsubscribe) Inform about own or partner innovation services or programs Maintain evidence of granted consent (registration and traceability) Promote conferences, competitions, and activities organized by South Summit Website Query Management - South Summit Channel ideas, suggestions, and proposals to improve the organization's services and activities Respond to requests received through web forms, such as Become an Ambassador, Suggest a Speaker, Suggest Ideas, and Contact Us Facilitate communication between the organization and users interested in different aspects of the event Manage and record user inquiries interested in collaborating or participating in South Summit activities Provide support and information related to services and events organized by South Summit Management of participants and collaborating companies - South Summit Organization of South Summit as a global physical gathering in Madrid, connecting different global innovation hubs, and connecting key national and international innovation players with physical networking and through the digital platform. South Summit becomes a 365-day connection platform, with meetings throughout the year, both in-person and digital, to continue connecting key players in the innovation ecosystem and enhancing the best of both worlds. This omnichannel format will be developed both virtually and in-person as circumstances or the convenience of the chosen format for each section advise. Management and contact with users Social Media Management - South Summit Create and publish promotional, informative, and engaging content on social media Identify trends and opportunities through analysis of interaction data Interact with followers by responding to comments, direct messages, and mentions Monitor statistics and metrics to improve social media strategy and foster community participation Promote South Summit activities, events, and services Participation Request Management - Partner with Us CATEGORIES OF DATA SUBJECTS: Natural persons acting on behalf of companies, universities, public or private entities, startups, innovation hubs, commercial delegations, corporations, or investment funds interested in establishing collaborations or agreements with South Summit. DATA CATEGORIES: Identification data (name, surname, professional email, phone); Professional data (represented company or organization, headquarters, position, area of work, sector of activity); Commercial or relationship data (reason for interest in being a partner, editions of interest: Madrid/Brazil/Korea, comments or free information); Optional consent (acceptance to receive commercial communications); Minimum technical data (IP address and submission metadata: date, time, browser). ORIGIN: Directly from the data subject through voluntary completion of the "Partner with Us" web form hosted on southsummit.io. Manage requests to collaborate as partners or exhibitors at the event Inform companies about stand types, rates, and available services to participate in South Summit Offer personalized attention and resolve doubts related to event participation Register and follow up on received inquiries to convert them into commercial agreements Management of registered users of the competition platform (Startups / Calls) ORIGIN: Data provided by users themselves when registering on the competition.southsummit.io platform or by direct submission to the South Summit team. No data is obtained from external sources. COLLECTIVES: Registered startups, South Summit partners, registered investors, Startup Competition participants. DATA CATEGORIES: Identification data (name, company, position, country), Contact (email, phone), Professional (pitch deck, project description, startup information, sector of activity), Location data (city, country). Profile analysis Facilitate registration and access for startups, partners, and investors to the Startup Competition platform Manage startup registration in the competition and associated services Offer technical support to users and resolve incidents during the registration and evaluation process Allow contact between competition participants and South Summit partners to generate business opportunities Promote user participation in future events and competitions organized by South Summit Video Surveillance Management in Offices and Event Facilities Control access and prevent security incidents in all facilities Ensure the security of people, property, and infrastructure in South Summit offices and facilities Provide security during the organization and development of events in temporary venues Provide recordings to competent authorities in case of incidents or investigations Volunteer Management Support in accreditation, logistics, and venue access Assign tasks and schedules to volunteers during the event Support startups, speakers, and investors within the Marketplace and in meetings Facilitate communication with volunteers before, during, and after the event for organizational matters Ensure occupational risk prevention for volunteers during their collaboration in the event Provide information to visitors and coordinate flows within the venue Evaluation Jury Management - Startup Competition Send invitations and coordinate the participation of jury members, indicating dates and sessions Manage jury registration requests received through the "Become a Jury" form Maintain communication with jury members to inform them about competition-related activities Organize and facilitate the evaluation of the 100 selected startups through the South Summit platform Organize and facilitate the evaluation of the 100 selected startups through the South Summit platform Integrated Agenda and Calendar Management - South Summit Appointment and agenda control Coordination and reminder of scheduled meetings within South Summit Generation of personalized calendars based on user preferences and profile Management of personalized agendas for event participants Organization of appointments and meetings between attendees, investors, startups, and exhibitors Planning of selected activities in the event program Integrated attendee and ticket sales management (includes waiting list / pre-sale) Origin of data: The data subject themselves when registering on the sales platform or on the waiting list / pre-sale of the southsummit.io domain or associated subdomains (e.g., presale.southsummit.io). They may also come from integrations with payment gateways or accreditation systems (Stripe, Paycomet, Eventbrite). Affected collectives: Attendees and ticket buyers. Users registered on Waiting List / Pre-sale. Applicants for special passes (investors, press, speakers). Data categories: Basic / Identification: Name and surname, email, phone (optional), company / organization, country / city. Professional data: Professional area ("Working in") declared in waiting list or registration forms. Transactional / access data: Ticket type, QR code, validation date and time, billing and payment data (through the gateway), technical logs (IP, browser, validations). Control event access using digital systems (QR codes or equivalents) Comply with legal and tax obligations associated with ticket sales Send operational information about the event (location, schedules, updates) Facilitate event participation statistics to improve future editions Manage ticket purchases through the South Summit website Manage waiting lists and pre-sales to inform about the opening of future editions or promotions Process and respond to requests for special passes such as the Investor Pass or the Press Pass Integrated Event Management - South Summit App Agenda. Calendar with South Summit events. Sending direct messages between all event attendees. Exhibitors. List of companies with stands, their contact details, and responsible person. Initiation of video calls from the messages section with people with whom a conversation is open. My Event. Events that each user has marked and meetings with other users. My QR. QR code that allows accreditation to access the event. Networking. List of all attendees to be able to contact them. Speakers. Access to each Speaker's profile where you can connect with their social networks and companies. Startup competition. List of participating companies in the competition, their contact details, and company videos. Possibility to open a direct message with the company. Integrated Speaker Management - South Summit ORIGIN: Data submitted via the "Apply to Speak" form, hosted on Typeform (southsummit.typeform.com). Data provided by the candidate or by a nominating third party (recommendation) is analyzed. Some data may be verified using public sources (LinkedIn, corporate websites). COLLECTIVES: Candidate speakers, selected speakers, speakers nominated by third parties. DATA CATEGORIES: Identification data (name, surname); Contact (email, phone); Professional profile (biography, company, position, links to professional networks); Location data (country/city); Professional material (videos, previous talks, portfolio). NOTE: Special categories are not requested. If the candidate spontaneously provides them, they are blocked and not used for selection. Evaluate the suitability of the application Manage communications related to the selection process Organize the speaker's participation in the event Publish the speaker's professional information on the event's official channels (web, agenda, dossier) Collect information from speaker candidates Management of images, videos, and audiovisual content of the South Summit event Grant images and videos to accredited press and media exclusively for event news coverage Disseminate and communicate activities carried out during South Summit through the website, social networks, and official channels. Produce audiovisual and photographic materials for promotional, informative, or institutional purposes, including their use in future editions Record and live stream presentations, roundtables, and interviews conducted at the event Preserve the event's historical audiovisual archive (internal or documentary use) Management of Data Exchange at Events via QR Codes in the South Summit Application Facilitate contact exchange between attendees and exhibiting companies within the application Ensure the operability of the South Summit application as a networking tool at the event Allow exhibiting companies to manage contacts obtained during the event within the same platform How long do we keep your data? We use your data for the time strictly necessary to fulfill the purposes indicated above. Unless there is a legal obligation or requirement, the foreseen retention periods are: Management of Travel and Accommodation Bookings - South Summit: For a period of 5 years from the last confirmation of interest. Data will be retained as long as there is a contractual or commercial relationship with the data subject or until they exercise their right to erasure. In case of consent revocation, data will be blocked and kept exclusively for the defense of legal or contractual claims, for the periods established by regulations. Startup Competition Evaluation Committee: As long as the commercial relationship is maintained. Data will be retained for the time necessary for the organization and management of the evaluation process. After the termination of the commercial relationship, data will be retained for a minimum of six years in accordance with the Commercial Code and tax regulations. Evaluator access to the platform will be enabled for a limited period of three weeks after the evaluation process ends. Cookies, pixel, and tracking: You must access our cookie policy to know the retention time of each cookie as well as the information collected. Co-organization of the South Summit 2025 event. Registration and contact data: Will be retained for 5 years from the last confirmation of interest.

• Images and recordings: Will be retained according to the policies of the social media platforms used and for historical and promotional purposes of the event.
• Transaction data: Will be retained for 5 years according to applicable tax and accounting regulations.
• Video surveillance data: 1 month from the recording date.
• Compliance with GDPR obligations: As long as its erasure is not requested by the data subject.
• Access control: 5 years from the last confirmation of interest.
• Participant management: 6 years according to the Commercial Code and tax regulations.
• Registered user management: 6 years from the last confirmation of interest.

Compliance with GDPR obligations: As long as its erasure is not requested by the data subject. The personal data provided will be retained as long as its erasure is not requested by the data subject or when the data is no longer necessary - including the need to retain it during applicable limitation periods - or relevant for the purpose for which it was collected or recorded. Event Access Management - South Summit: For a period of 5 years from the last confirmation of interest. Data will be processed and retained as long as necessary to comply with the purposes of access control. Subsequently, it will be securely stored and blocked for a period of 5 years, unless the data subject requests its erasure or there is a legal obligation requiring its retention. Management of Collaborators in Events and Content Production: As long as the commercial or contractual relationship is maintained. Data will be retained as long as necessary to comply with the purposes of processing, respecting the principles of minimization and storage limitation. Subsequently, it will be deleted or anonymized. Communications and Newsletters Management - South Summit: As long as its erasure is not requested by the data subject. Data will be retained as long as the data subject maintains their subscription and does not revoke their consent. In case of inactivity or unsubscribe, it will be deleted or blocked within a maximum period of 1 year, retaining only evidence of consent and unsubscribe for GDPR compliance purposes (Art. 7.1) and defense of claims. Website Query Management - South Summit Data will be retained as long as there is a contractual and/or commercial relationship with the data subject, or as long as its erasure is not requested. After the termination of the relationship, data will be blocked and remain available only for the exercise or defense of legal or contractual claims, during the applicable limitation periods. Once these periods have passed, data will be securely deleted. Management of participants and collaborating companies – South Summit: For a period of 6 years from the last confirmation of interest. After the relationship ends and is not linked to other issues, it is retained for a minimum period of 6 years, in accordance with the Commercial Code and tax regulations. Social Media Management - South Summit: As long as its erasure is not requested by the data subject. Personal data will be processed as long as it is necessary or relevant for the established purposes. If the data subject requests erasure, the data will be blocked in accordance with the GDPR, for a maximum period of three years, for its availability in case of legal requirements by judges, courts, or competent authorities. Statistical and metric records will be kept anonymized for analysis and improvement of future strategies. Participation Request Management - Partner with Us Data will be retained for the duration of the application evaluation and the pre-contractual relationship. If no collaboration is formalized, it will be kept blocked for 2 years for future opportunity tracking or compliance with legal obligations. Data processed based on consent for communications will be retained as long as the data subject does not withdraw such consent. Management of registered users of the competition platform (Startups / Calls) 2 years Video Surveillance Management in Offices and Event Facilities: For a period of 1 month from the last confirmation of interest. Recordings will be retained for a maximum period of 1 month from their capture, unless required for the resolution of incidents by competent authorities. In case a recording is necessary for the investigation or defense of legal rights, it may be blocked and retained for the legally established period. Volunteer Management: For a period of 5 years from the last confirmation of interest. Data will be processed and retained as long as necessary for the purposes foreseen in event management. After 5 years from the volunteer's last interaction or collaboration, data will be securely deleted, unless there is a legal obligation for its retention. Evaluation Jury Management - Startup Competition: As long as the commercial relationship is maintained. Personal data of jury members will be processed as long as there is a contractual or collaboration relationship with South Summit. After the relationship ends, data will be blocked and retained for a minimum period of 6 years in accordance with the Commercial Code and tax regulations. Data related to evaluations will be anonymized once organizational and legal purposes are met. Integrated Agenda and Calendar Management - South Summit: As long as its erasure is not requested by the data subject. Personal data will be retained for the duration of the event and a maximum period of 2 years to maintain the commercial relationship with the data subject, unless its erasure is requested earlier or there is a legal obligation to retain it. Integrated attendee and ticket sales management (includes waiting list / pre-sale) Buyer and attendee data will be retained for 5 years after the event ends, in accordance with tax and guarantee obligations. Waiting list and pre-sale data will be retained for 1 year or until purchase or cancellation of interest. Access logs will be deleted at the end of the legal period (max. 5 years). Integrated Event Management - South Summit App: As long as the commercial relationship is maintained. Data will be retained as long as the user keeps their account active and does not request data erasure. Once the event ends, data will be deleted within a maximum of 2 years, unless there is a legal obligation to retain it. Integrated Speaker Management - South Summit Application data will be retained for 2 years for possible future editions, unless there is opposition or a request for erasure. Selected speaker profiles may be retained as part of the event's historical archive or until consent for their publication is revoked. Annual purging of unselected applications. Immediate erasure if the candidate requests it. Temporary blocking if there are claims or incidents. Management of images, videos, and audiovisual content of the South Summit event Images, videos, and recordings will be retained as long as they are useful for the informative and promotional purposes of the event and future editions, and may subsequently be kept in a historical audiovisual archive for documentary or institutional memory purposes. On social networks and third-party platforms, retention will be governed by the policies of those platforms. Data subjects may request the withdrawal or limitation of the use of their image at any time in accordance with Articles 17 and 18 GDPR. Management of Data Exchange at Events via QR Codes in the South Summit Application: As long as the commercial relationship is maintained. Data will be retained as long as the user keeps their account active in the South Summit application or until they request its deletion. 8. LAWFULNESS OF PROCESSING Why do we process your data? The collection and processing of your data is always legitimized by one or more legal bases, which we detail below: Management of Travel and Accommodation Bookings - South Summit

• (Art. 6.1.a GDPR) Consent of the data subject
• (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract

Startup Competition Evaluation Committee

• (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract
• (Art. 6.1.a GDPR) Consent of the data subject

Cookies, pixel, and tracking

• (Art. 6.1.a GDPR) Consent of the data subject

Co-organization of the South Summit event

• (Art. 6.1.a GDPR) Consent of the data subject
• (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract
• (Art. 6.1.e GDPR) Performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller

Compliance with GDPR obligations Legal obligation for historical, statistical, or scientific research purposes

• GDPR: 6.1.c) Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations. Common administrative procedure law
• General Data Protection Regulation. REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Event Access Management - South Summit

• (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract

Management of Collaborators in Events and Content Production

• (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract

Communications and Newsletters Management – South Summit

• (Art. 6.1.a GDPR) Consent of the data subject

Website Query Management - South Summit

• (Art. 22 LOPD/GDD) Processing of images from camera or video camera systems to preserve the security of people, property, and facilities
• (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract
• (Art. 6.1.f GDPR) Legitimate interest of the Controller or third parties

Management of participants and collaborating companies – South Summit

• (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract
• (Art. 6.1.f GDPR) Legitimate interest of the Controller or third parties
• (Art. 6.1.a GDPR) Consent of the data subject

Social Media Management - South Summit Explicit consent of the data subject

• GDPR: 6.1.a) Consent of the data subject. The legal basis for sending information related to professional practice or professional interest and for the provision of voluntary services is the consent you provide, which you can withdraw at any time.

Participation Request Management - Partner with Us

• (Art. 6.1.a GDPR) Consent of the data subject
• (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract
• (Art. 6.1.f GDPR) Legitimate interest of the Controller or third parties

Management of registered users of the competition platform (Startups / Calls)

• (Art. 6.1.a GDPR) Consent of the data subject
• (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract
• (Art. 6.1.f GDPR) Legitimate interest of the Controller or third parties

Video Surveillance Management in Offices and Event Facilities Legitimate interest of the Controller or third parties

• GDPR: 6.1.f) Satisfaction of legitimate interests pursued by the controller.

Volunteer Management

• Explicit consent of the data subject

Evaluation Jury Management - Startup Competition

• (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract
• (Art. 6.1.a GDPR) Consent of the data subject

Integrated Agenda and Calendar Management - South Summit Explicit consent of the data subject

• GDPR: 6.1.a) Consent of the data subject. The legal basis for sending information related to professional practice or professional interest and for the provision of voluntary services is the consent you provide, which you can withdraw at any time.

Existence of a contractual relationship with the data subject through a contract or pre-contract Legitimate interest of the Controller or third parties GDPR:

• 6.1.e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Integrated attendee and ticket sales management (includes waiting list / pre-sale)

• (Art. 6.1.a GDPR) Consent of the data subject
• (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract
• (Art. 6.1.c GDPR) Compliance with legal obligations of the Controller

Integrated Event Management - South Summit App

• (Art. 6.1.a GDPR) Consent of the data subject
• (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract

Integrated Speaker Management - South Summit

• (Art. 6.1.a GDPR) Consent of the data subject
• (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract
• (Art. 22 LOPD/GDD) Processing of images from camera or video camera systems to preserve the security of people, property, and facilities
• (Art. 6.1.f GDPR) Legitimate interest of the Controller or third parties

Management of images, videos, and audiovisual content of the South Summit event

• (Art. 6.1.a GDPR) Consent of the data subject
• (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract
• (Art. 6.1.f GDPR) Legitimate interest of the Controller or third parties

Management of Data Exchange at Events via QR Codes in the South Summit Application

• (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract

9. RECIPIENTS OF YOUR DATA To whom do we transfer your data within the European Union? Occasionally, to fulfill our legal obligations and our contractual commitment with you, we are obliged and need to transfer some of your data to certain categories of recipients, which we specify below: Management of Travel and Accommodation Bookings - South Summit. Data may be shared with authorized partners and suppliers for booking management and discount application, always under data processor agreements that comply with the GDPR. No additional transfers will be made unless legally required. Startup Competition Evaluation Committee. Partner companies acting as the committee will access the South Summit platform to evaluate the most promising Startups. Cookies, pixel, and tracking: Companies dedicated to advertising or direct marketing Co-organization of the South Summit 2025 event. Co-organizers: Data may be shared with IE University (INSTITUTO DE EMPRESA, S.L., IE UNIVERSIDAD and FUNDACIÓN IE) and South Summit for joint event management. Service providers: Security, marketing, technology, and logistics companies. Public authorities: When required by applicable legislation (royal household and ministry of the presidency). Law enforcement agencies: For the investigation of criminal offenses. Participants and attendees: Through attendee lists and event promotional materials. Social networks: Data will be transferred to platforms such as Meta and Instagram. Collaborating companies: For event management and marketing. Travel agencies: For accommodation and travel offers. Compliance with GDPR obligations: Public administration with competence in the matter. In the case of security breach notification: Spanish Data Protection Agency. Event Access Management - South Summit. Attendee data will not be transferred to third parties, unless there is a legal obligation or it is necessary to guarantee event security (e.g., local authorities). If an external provider is contracted for access system management, data processor agreements complying with the GDPR will be signed. Website Query Management - South Summit. No data transfers to third parties are made, except for legal obligation or with the express consent of the data subject to forward their query to South Summit collaborators or partners for resolution. Data processors: Hosting and cloud service providers for data and system hosting (e.g., AWS, Google Cloud, Azure, or others). Email and messaging service providers for managing and sending communications related to queries. Technical support companies that manage web form platforms and CRM tools. Collaborating companies or partners that may intervene in resolving queries depending on the type of request received. Management of participants and collaborating companies – South Summit: Tax Administration; Banks, savings banks, and rural savings banks; Public administration with competence in the matter. Social Media Management - South Summit. Data may be shared with technology service providers and social media platforms such as Facebook, Instagram, LinkedIn, TikTok, and Twitter, according to the privacy policies of those platforms. Management of registered users of the competition platform (Startups / Calls). Data processors: No transfers in the strict sense are made, but data is shared with data processors that provide services to South Summit: - Hosting and cloud storage providers for the competition.southsummit.io platform - Email marketing and communication tools with participants - Technical support and platform maintenance providers International transfers: Data may be hosted on servers located outside the European Economic Area (EEA), always under adequate safeguards such as standard contractual clauses approved by the European Commission or equivalent mechanisms. Video Surveillance Management in Offices and Event Facilities. Images may be communicated, in the context of reporting or investigating criminal offenses, to State Security Forces and Corps, Judicial Bodies, Public Prosecutor's Office. Volunteer Management: Social Security bodies. Integrated Agenda and Calendar Management - South Summit: Group entities. Agenda data may be shared with third parties (such as other attendees with whom the user agrees to meetings) with the explicit consent of the data subject. Technology providers responsible for maintaining the agenda management platform, always under agreements that guarantee GDPR compliance. Integrated attendee and ticket sales management (includes waiting list / pre-sale): Banks, savings banks, and rural savings banks. Recipients: No data transfers to third parties are made, except for legal obligation (e.g., competent tax or judicial authorities). Data processors: Providers that offer services with access to personal data in accordance with Art. 28 GDPR contracts: - Ticket sales and management platform / ticketing. - Certified payment gateways (Stripe, Paycomet, etc.). - Access control and accreditation provider. - Cloud services and technical support associated with the southsummit.io domain. International transfers: Only if processors or sub-processors host data outside the EEA. In such cases, Standard Contractual Clauses (SCC) or the Data Privacy Framework (DPF) will be applied to ensure an adequate level of protection. IE UNIVERSITY (CIF: G40155384) - South Summit attendees or other events - Identification data (Name and surname) Management of Data Exchange at Events via QR Codes in the South Summit Application Google LLC, Google Ireland Limited (CIF: IE6388047V) - South Summit attendees or other events - Identification data (Name and surname; Email) Do we make International Transfers of your data outside the European Union? In the context of our data processing processes, we may use external services that involve storing and/or processing your data by organizations outside the European Union. This entails making international transfers of your data. Communications and Newsletters Management – South Summit The Rocket Science Group LLC d/b/a Mailchimp - United States Guaranteed level of protection: Adequate Safeguards Category of safeguards: Safeguards approved by the Supervisory Authority

• Standard contractual clauses

. 10. DATA PROCESSING ACTIVITIES The data processing activities carried out through http://www.southsummit.io are described below, specifying:

• Activity: Name of the data processing activity.
• Purposes: Uses and processing carried out with the collected data.
• Legal basis: Legal grounds that legitimize data processing.
• Data processed: Types of data processed.
• Origin: Source of the data.
• Retention: Data retention period.
• Recipients: Third parties to whom data is transferred.
• International transfers: Data transfers outside the European Union.

10.1. Processing activities These are data processing activities whose purposes are necessary for the provision of services. COMPLIANCE WITH GDPR OBLIGATIONS Legal Bases Legal obligation for historical, statistical, or scientific research purposes (GDPR: 6.1.c) Processing is necessary for compliance with a legal obligation to which the controller is subject., Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, General Data Protection Regulation) Purposes Address citizen requests in the exercise of the rights established by the General Data Protection Regulation; Data Protection and information privacy; Process your data for the purpose of addressing requests in the exercise of the rights established by the General Data Protection Regulation (Art. 5 GDPR) and, where appropriate, for the notification of personal data breaches to the supervisory authority and data subjects (Articles 33 and 34 GDPR) Data categories and collectives Clients (Identification data). Employees (Identification data; Employment details) Data origin The data subject themselves or their legal representative Category of recipients Public administration with competence in the matter; In the case of security breach notification: Spanish Data Protection Agency. International transfer Not foreseen Retention period As long as its erasure is not requested by the data subject. The personal data provided will be retained as long as its erasure is not requested by the data subject or when the data is no longer necessary - including the need to retain it during applicable limitation periods - or relevant for the purpose for which it was collected or recorded. EVENT ACCESS MANAGEMENT - SOUTH SUMMIT Legal bases (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract Category of recipients Control space capacity in real-time to ensure safety and compliance with local regulations; Manage attendee lists to facilitate registration and resolve potential incidents during access; Collect Purposes attendance data for analysis and improvement of future event editions; Verify and validate attendee access to the event using QR codes or other registration systems Data categories and collectives Volunteers (Identification data). Speaker and presenters (Identification data). South Summit attendees or other events (Identification data) Data origin The data subject themselves or their legal representative; Private entity; From the "Become a Speaker" form on the website; Event attendees such as Speakers, Partners, Investors, Presenters, or Startup Members Category of recipients Attendee data will not be transferred to third parties, unless there is a legal obligation or it is necessary to guarantee event security (e.g., local authorities). If an external provider is contracted for access system management, data processor agreements complying with the GDPR will be signed. International transfer Not foreseen Retention period For a period of 5 years from the last confirmation of interest. Data will be processed and retained as long as necessary to comply with the purposes of access control. Subsequently, it will be securely stored and blocked for a period of 5 years, unless the data subject requests its erasure or there is a legal obligation requiring its retention. Security measures Organizational:

• Definition of internal procedures for ticket management, access control, and incident resolution.
• Training for personnel responsible for access on best practices in personal data management and data protection regulations.
• Assignment of clear roles and responsibilities in the organization of access control.
• Establishment of confidentiality agreements for personnel or third parties who manage attendee data.

Technical:

• Ticket validation using encrypted QR codes, ensuring security and accuracy in identification.
• Encryption of data in transit (HTTPS) and at rest (AES-256) to protect information stored in access systems.
• Multi-factor authentication system for employees with access to ticket management platforms.
• System activity logging to audit access and prevent misuse of data. Regular backups of data related to tickets and access, stored on secure servers.

Physical:

• Physical access control in registration areas and access control systems, including surveillance and security measures at the event venue.
• Secure storage of devices and documents related to access management.

MANAGEMENT OF COLLABORATORS IN EVENTS AND CONTENT PRODUCTION Legal bases (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract Purposes Coordination of tasks and responsibilities in event production; Management of speaker relationships and content scheduling; Supervision of the development and achievement of production objectives Data categories and collectives Registered users / South Summit App users (Identification data). Clients (Identification data). Employees (Identification data). Speaker and presenters (Identification data). South Summit attendees or other events (Identification data; Personal characteristics; Employment details; Economic, financial, and insurance; Commercial information; Credit information). Registered competition users (Identification data) Data origin The data subject themselves or their legal representative; Private entity; From the "Become a Speaker" form on the website; Event attendees such as Speakers, Partners, Investors, Presenters, or Startup Members Category of recipients Not foreseen International transfer Not foreseen Retention period As long as the commercial or contractual relationship is maintained. Data will be retained as long as necessary to comply with the purposes of processing, respecting the principles of minimization and storage limitation. Subsequently, it will be deleted or anonymized. Security measures

• Information Security Policy (ISP): Implement and keep updated a security policy adapted to legal regulations and company needs.
• Access Control: Restricted access to personal data through multi-factor authentication (MFA) and role-based permissions.
• Information Encryption: Use of encryption during data transmission and storage (HTTPS, disk encryption).
• Training and Awareness: Regular training for collaborators on best practices in data protection and information security.
• Activity Logging: Maintenance of a detailed log of data access and modifications.

WEBSITE QUERY MANAGEMENT - SOUTH SUMMIT Legal bases (Art. 22 LOPD/GDD) Processing of images from camera or video camera systems to preserve the security of people, property, and facilities; (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract; (Art. 6.1.f GDPR) Legitimate interest of the Controller or third parties Purposes Channel ideas, suggestions, and proposals to improve the organization's services and activities; Respond to requests received through web forms, such as Become an Ambassador, Suggest a Speaker, Suggest Ideas, and Contact Us; Facilitate communication between the organization and users interested in different aspects of the event; Manage and record user inquiries interested in collaborating or participating in South Summit activities; Provide support and information related to services and events organized by South Summit Data categories and collectives People who access and contact via the web (Identification data; Employment details; Other categories) Data origin The data subject themselves or their legal representative; People who contact us from web forms such as Become an Ambassador, Suggest a Speaker, Suggest Ideas, and Contact Us Category of recipients No data transfers to third parties are made, except for legal obligation or with the express consent of the data subject to forward their query to South Summit collaborators or partners for resolution. Data processors: Hosting and cloud service providers for data and system hosting (e.g., AWS, Google Cloud, Azure, or others). Email and messaging service providers for managing and sending communications related to queries. Technical support companies that manage web form platforms and CRM tools. Collaborating companies or partners that may intervene in resolving queries depending on the type of request received. International transfer Not foreseen Retention period Data will be retained as long as there is a contractual and/or commercial relationship with the data subject, or as long as its erasure is not requested. After the termination of the relationship, data will be blocked and remain available only for the exercise or defense of legal or contractual claims, during the applicable limitation periods. Once these periods have passed, data will be securely deleted. Security measures Encryption of data in transit via HTTPS and at rest via AES-256. Role-based access control for personnel managing queries. Secure authentication system with strong passwords and multi-factor authentication (MFA). Activity logging and auditing of actions performed on data. Retention policies and secure data deletion in accordance with established periods. Servers hosted in data centers with advanced physical and technical security measures. VIDEO SURVEILLANCE MANAGEMENT IN OFFICES AND EVENT FACILITIES Legal bases Legitimate interest of the Controller or third parties (GDPR: 6.1.f). Satisfaction of legitimate interests pursued by the controller. Purposes Control access and prevent security incidents in all facilities; Ensure the security of people, property, and infrastructure in South Summit offices and facilities; Provide security during the organization and development of events in temporary venues; Provide recordings to competent authorities in case of incidents or investigations Data categories and collectives Employees (Identification data). Visitors (Identification data) Data origin The data subject themselves or their legal representative Category of recipients Images may be communicated, in the context of reporting or investigating criminal offenses, to State Security Forces and Corps, Judicial Bodies, Public Prosecutor's Office. International transfer Not foreseen Retention period For a period of 1 month from the last confirmation of interest. Recordings will be retained for a maximum period of 1 month from their capture, unless required for the resolution of incidents by competent authorities. In case a recording is necessary for the investigation or defense of legal rights, it may be blocked and retained for the legally established period. Security measures Organizational:

• Implementation of internal policies to regulate the use of video surveillance systems in offices and events, ensuring that access to recordings is exclusive to authorized personnel.
• Visible notices in all monitored areas (offices and temporary event venues) informing data subjects about the existence of cameras and the processing of images in accordance with the GDPR.
• Supervision by a designated responsible person to ensure that recordings are used only for security purposes.
• Training of personnel responsible for applicable regulations and the proper use of video surveillance systems.

Technical:

• Configuration of recording systems with secure and encrypted storage (AES-256)
• Use of multi-factor authentication to access video surveillance systems, limiting access only to authorized personnel
• Scheduling for automatic deletion of recordings after the retention period (1 month)
• Monitoring and auditing of access to video surveillance systems to ensure traceability.
• Storage of recordings on secure servers, preferably with ISO 27001 certification, located within the EEA.

Physical:

• Strategic installation of cameras in common areas, access points, loading/unloading zones, and sensitive areas, avoiding image capture in private spaces (such as bathrooms or changing rooms)
• Physical protection of recording devices through restricted access systems (security locks, physical surveillance)
• Access control to monitored venues (offices and events) to minimize risks related to recordings.

MANAGEMENT OF DATA EXCHANGE AT EVENTS VIA QR CODES IN THE SOUTH SUMMIT APPLICATION Legal bases (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract Purposes Facilitate contact exchange between attendees and exhibiting companies within the application; Ensure the operability of the South Summit application as a networking tool at the event; Allow exhibiting companies to manage contacts obtained during the event within the same platform Data categories and collectives South Summit attendees or other events (Identification data; Commercial information) Data origin The data subject themselves or their legal representative; Event attendees such as Speakers, Partners, Investors, Presenters, or Startup Members Category of recipients To exhibiting companies whose QR codes are scanned by the user within the application. To the technology provider and manager of the official South Summit application. (Google LLC, Google Ireland Limited (CIF: IE6388047V)) International transfer Not foreseen Retention period As long as the commercial relationship is maintained. Data will be retained as long as the user keeps their account active in the South Summit application or until they request its deletion. Security measures

• Clear and transparent information: Notice within the application and in the privacy policy about data sharing when scanning a QR.
• Access control and permissions: Only authorized companies within the platform can receive data, ensuring that event terms are met.
• Encryption of data in transit and storage: Protection of information within the application.
• Logging and traceability of access: Monitoring which company receives each user's data within the application.
• Privacy settings: Possibility for the user to manage what data is shared within the platform.

MANAGEMENT OF TRAVEL AND ACCOMMODATION BOOKINGS - SOUTH SUMMIT Legal bases (Art. 6.1.a GDPR) Consent of the data subject; (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract Purposes Coordinate with partners and suppliers to manage bookings and discounts to facilitate event attendance; Provide exclusive travel, accommodation, and transport information and offers to event attendees; Promote exclusive agreements with partners related to travel and accommodation services; Carry out personalized follow-up of requests received through the web landing page Data categories and collectives Ecommerce Clients (Identification data). People who access and contact via the web (Identification data). Registered users / South Summit App users (Identification data). Representatives of organizations interested in collaborating with South Summit (Identification data). South Summit attendees or other events (Identification data; Employment details). Registered competition users (Identification data) Data origin The data subject themselves or their legal representative; People who contact us from web forms such as Become an Ambassador, Suggest a Speaker, Suggest Ideas, and Contact Us; Private entity; Web contact or collaboration forms (e.g., "Partner with Us", "Get Your Stand"), emails sent to corporate addresses published on the web (info@, partners@, startups@), fairs, conferences, or networking activities where professional contact data is collected.; Event attendees such as Speakers, Partners, Investors, Presenters, or Startup Members Category of recipients Data may be shared with authorized partners and suppliers for booking management and discount application, always under data processor agreements that comply with the GDPR. No additional transfers will be made unless legally required. International transfer Not foreseen Retention period For a period of 5 years from the last confirmation of interest. Data will be retained as long as there is a contractual or commercial relationship with the data subject or until they exercise their right to erasure. In case of consent revocation, data will be blocked and kept exclusively for the defense of legal or contractual claims, for the periods established by regulations. Security measures Organizational:

• Implementation of internal policies that limit access to data only to authorized personnel and partners related to travel and accommodation management.
• Obtaining explicit consent from the data subject during the landing page registration process.
• Signing confidentiality agreements with partners and suppliers who manage personal data to ensure GDPR compliance.
• Training of personnel responsible for data protection regulations and best practices in personal data management.

Technical:

• Encryption of data in transit (HTTPS) and at rest (AES-256) to protect personal information sent through the landing page and during communications with partners.
• Use of secure request management systems with multi-factor authentication.
• Logging and auditing of access to personal data to ensure traceability and prevent misuse.
• Automatic backups stored on secure servers with ISO 27001 certification.

Physical:

• Storage of related physical documents (if applicable) in restricted areas with controlled access.
• Control of physical access to devices used to manage requests.
• Secure deletion of physical documents once processing purposes are met, through certified shredding.

STARTUP COMPETITION EVALUATION COMMITTEE Legal bases (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract; (Art. 6.1.a GDPR) Consent of the data subject Purposes Coordinate online discussion sessions to select finalist projects; Send emails with links to register on the platform and the session schedule; Evaluate pre-selected projects using the evaluation platform; Manage committee members' access to the platform and startup data; Invite corporations, investment funds, and institutions to participate in the evaluation committee Data categories and collectives Evaluation Committee (Identification data; Other categories) Data origin The data subject themselves or their legal representative; Private entity Category of recipients Partner companies acting as the committee will access the South Summit platform to evaluate the most promising Startups. International transfer Not foreseen Retention period As long as the commercial relationship is maintained. Data will be retained for the time necessary for the organization and management of the evaluation process. After the termination of the commercial relationship, data will be retained for a minimum of six years in accordance with the Commercial Code and tax regulations. Evaluator access to the platform will be enabled for a limited period of three weeks after the evaluation process ends. Security measures Organizational:

• Establishment of confidentiality agreements with evaluation committee members to ensure proper handling of data from participating startups.
• Periodic review of access to the evaluation platform to prevent unauthorized access.
• Data classification and deletion policy after evaluation completion to ensure compliance with the minimization principle.
• Specific training for platform managers and committee members on personal data processing and applicable regulations.

Technical:

• Multi-factor authentication for access to the evaluation platform.
• Encryption of data in transit (HTTPS) and at rest (AES-256) to protect startup information and evaluations performed.
• Activity logging on the platform to audit actions performed by evaluators.
• Restriction of data access only to the authorized three-week period after evaluation sessions end.
• Regular data backup to prevent loss of key information during the evaluation process.

Physical:

• Security in offices where information is accessed, including physical access controls (locked doors, surveillance)
• Use of secure servers located in data centers with international certifications such as ISO 27001.

COOKIES, PIXEL, AND TRACKING Legal bases (Art. 6.1.a GDPR) Consent of the data subject Purposes Share information on social networks. "Fav", "Like", "+1" and similar buttons; Obtain statistical data on user navigation, identify problems, and analyze their preferences; Third-party video and map transmission. A function or plugin provided by a third party establishes a direct connection between the user's browser and the third party's internet domains, allowing the function to be downloaded and executed Data categories and collectives People who access and contact via the web (Commercial information; Other categories) The data subject themselves or their legal representative; People who contact us from Data origin web forms such as Become an Ambassador, Suggest a Speaker, Suggest Ideas, and Contact Us Category of recipients Companies dedicated to advertising or direct marketing International transfer Not foreseen Retention period You must access our cookie policy to know the retention time of each cookie as well as the information collected. Security measures The relevant security measures have been applied to mitigate the existing risk. In any case, the security measures of Article 32 of the GDPR will apply:

• The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
• The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
• A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
• The pseudonymization and encryption of personal data.

CO-ORGANIZATION OF THE SOUTH SUMMIT 2025 EVENT. Legal bases (Art. 6.1.a GDPR) Consent of the data subject; (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract; (Art. 6.1.e GDPR) Performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller Purposes Communication and marketing: Send event-related information, updates, news, and promotional materials. This includes sending emails and other messages to keep attendees informed about event details and any important changes or news; Event access control: Manage access for participants, volunteers, and speakers. This ensures that only authorized individuals can enter certain areas of the event; Compliance with GDPR obligations: Address requests for exercising rights according to the GDPR and notify security breaches. This involves managing participant requests related to their personal data and notifying competent authorities of any security breaches; Surveys and feedback: Collect opinions and suggestions from participants to improve future events. After the event, surveys will be sent to gather attendees' opinions on what they liked and what could be improved; Participant management: Allow participation in South Summit activities and sections. This includes coordinating activities in which participants can get involved and ensuring everyone has the necessary information to participate actively; Registered user management: Facilitate e-commerce and business opportunities for partners. This includes allowing startups and other companies to interact and do business during the event and through the event platform; Event organization and management: Coordinate and execute all activities related to event planning and execution. This includes ensuring all parts of the event run smoothly, such as activity scheduling, speaker coordination, and general logistics; Registration and access control: Manage registrations, accreditations, and event tickets. This means registering all individuals who will attend the event, ensuring they have the correct credentials, and controlling who enters and exits the event venue; Streaming and session recording: Live stream and record event presentations and activities. This allows people who cannot attend in person to watch presentations and activities online and for recordings to be available for later viewing; Use of images: Record and stream event presentations, and display images on the web and social networks. This involves taking photos and videos of the event and sharing them online for promotion and event coverage; Facility video surveillance: Ensure the security of people, property, and facilities through video surveillance. This means security cameras will be used to monitor the event venue and ensure the protection of everyone present Data categories and collectives Registered users / South Summit App users (Identification data; Commercial information). Employees (Identification data). Visitors (Identification data). Volunteers (Identification data; Personal characteristics). Speaker and presenters (Identification data; Employment details; Other categories). South Summit attendees or other events (Identification data; Personal characteristics; Employment details; Economic, financial, and insurance; Commercial information; Credit information). Registered competition users (Identification data) Data origin The data subject themselves or their legal representative; Private entity; From the "Become a Speaker" form on the website; Event attendees such as Speakers, Partners, Investors, Presenters, or Startup Members Category of recipients

• Co-organizers: Data may be shared with IE University (INSTITUTO DE EMPRESA, S.L., IE UNIVERSIDAD and FUNDACIÓN IE) and South Summit for joint event management.
• Service providers: Security, marketing, technology, and logistics companies.
• Public authorities: When required by applicable legislation (royal household and ministry of the presidency).
• Law enforcement agencies: For the investigation of criminal offenses.
• Participants and attendees: Through attendee lists and event promotional materials.
• Social networks: Data will be transferred to platforms such as Meta and Instagram.
• Collaborating companies: For event management and marketing.
• Travel agencies: For accommodation and travel offers.

International transfer Not foreseen Retention period

• Registration and contact data: Will be retained for 5 years from the last confirmation of interest.
• Images and recordings: Will be retained according to the policies of the social media platforms used and for historical and promotional purposes of the event.
• Transaction data: Will be retained for 5 years according to applicable tax and accounting regulations.
• Video surveillance data: 1 month from the recording date.
• Compliance with GDPR obligations: As long as its erasure is not requested by the data subject.
• Access control: 5 years from the last confirmation of interest.
• Participant management: 6 years according to the Commercial Code and tax regulations.
• Registered user management: 6 years from the last confirmation of interest.

Security measures In accordance with Article 32 of the GDPR and Recital 83 of the GDPR, the following technical and organizational measures will be implemented to ensure a level of security appropriate to the risk:

• Pseudonymization and encryption of personal data: Use of encryption techniques to protect data during transmission and storage
• Confidentiality, integrity, and availability: Implementation of access controls, firewalls, and intrusion detection systems to protect information.
• Data restoration: Ability to quickly restore the availability and access to personal data in the event of a physical or technical incident.
• Regular evaluations: Continuous process of verifying, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.
• Protection against unauthorized access: Use of multi-factor authentication and role-based access permissions

COMMUNICATIONS AND NEWSLETTERS MANAGEMENT – SOUTH SUMMIT Legal bases (Art. 6.1.a GDPR) Consent of the data subject Purposes Send newsletters with news from the South Summit ecosystem (events, speakers, startups, opportunities); Manage subscriber preferences and revocations (opt-out / unsubscribe); Inform about own or partner innovation services or programs; Maintain evidence of granted consent (registration and traceability); Promote conferences, competitions, and activities organized by South Summit Data categories and collectives South Summit informative and newsletter community (Identification data) Data origin The data subject themselves or their legal representative; Data is collected directly when the data subject enters their email address in the subscription forms on the official South Summit website (https://www.southsummit.io), associated subdomains, or in in-person and digital actions managed by the organization. Subscription requires express consent through an opt-in system (double email verification). Category of recipients Not foreseen International transfer The Rocket Science Group LLC d/b/a Mailchimp - United States (Mass electronic communication platform) - Adequate Safeguards Retention period As long as its erasure is not requested by the data subject. Data will be retained as long as the data subject maintains their subscription and does not revoke their consent. In case of inactivity or unsubscribe, it will be deleted or blocked within a maximum period of 1 year, retaining only evidence of consent and unsubscribe for GDPR compliance purposes (Art. 7.1) and defense of claims. Security measures

• Granular and verifiable consent (double opt-in, registration with date/IP).
• Preference panel for easy revocation.
• Restricted access to authorized marketing personnel.
• TLS/SSL encryption for data transmission.
• Formalized processing agreements with providers.
• Logging and retention of consent and unsubscribe evidence.
• Bi-annual audit of lists and sub-processors.
• Automatic exclusion mechanism ("unsubscribe" functional in each mailing).

MANAGEMENT OF PARTICIPANTS AND COLLABORATING COMPANIES – SOUTH SUMMIT Legal bases (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract; (Art. 6.1.f GDPR) Legitimate interest of the Controller or third parties; (Art. 6.1.a GDPR) Consent of the data subject Purposes Management and contact with users; Organization of South Summit as a global physical gathering in Madrid, connecting different global innovation hubs, and connecting key national and international innovation players with physical networking and through the digital platform. South Summit becomes a 365-day connection platform, with meetings throughout the year, both in-person and digital, to continue connecting key players in the innovation ecosystem and enhancing the best of both worlds. This omnichannel format will be developed both virtually and in-person as circumstances or the convenience of the chosen format for each section advise. Data categories and Clients (Identification data) Data origin The data subject themselves or their legal representative Category of recipients Tax Administration; Banks, savings banks, and rural savings banks; Public administration with competence in the matter International transfer Not foreseen Retention period For a period of 6 years from the last confirmation of interest. After the relationship ends and is not linked to other issues, it is retained for a minimum period of 6 years, in accordance with the Commercial Code and tax regulations. Security measures Signed contracts and confidentiality clauses. Access control to the platform and physical areas of the event. TLS/SSL encryption and encrypted backups. Access logging and management logs. Minimization policy and annual review. Unified mechanism for addressing rights by co-controllers. SOCIAL MEDIA MANAGEMENT - SOUTH SUMMIT Legal bases Explicit consent of the data subject (GDPR: 6.1.a) Consent of the data subject. Purposes Create and publish promotional, informative, and engaging content on social media; Identify trends and opportunities through analysis of interaction data; Interact with followers by responding to comments, direct messages, and mentions; Monitor statistics and metrics to improve social media strategy and foster community participation; Promote South Summit activities, events, and services Data categories and collectives Followers (Identification data) Data origin The data subject themselves or their legal representative Category of recipients Data may be shared with technology service providers and social media platforms such as Facebook, Instagram, LinkedIn, TikTok, and Twitter, according to the privacy policies of those platforms. International transfer Not foreseen Retention period As long as its erasure is not requested by the data subject. Personal data will be processed as long as it is necessary or relevant for the established purposes. If the data subject requests erasure, the data will be blocked in accordance with the GDPR, for a maximum period of three years, for its availability in case of legal requirements by judges, courts, or competent authorities. Statistical and metric records will be kept anonymized for analysis and improvement of future strategies. Security measures Organizational:

• Implementation of internal policies to regulate the use of social media, ensuring compliance with the GDPR and personal data protection.
• Training for personnel responsible for social media management on best practices and data protection regulations.
• Logging of access and roles assigned to the team responsible for managing social media to prevent improper access.
• Internal supervision and approval of publications to ensure that sensitive personal data is not included without prior consent.

Technical:

• Use of certified tools for centralized social media management, with in-transit encryption (HTTPS).
• Restriction of access through multi-factor authentication on all social media accounts.
• Monitoring of access and activities on platforms to ensure traceability and detect potential incidents.
• Regular backups of created content and statistics on secure servers with ISO 27001 certification.

Physical:

• Physical access control to devices used to manage social media, including measures such as automatic locking and biometric authentication.
• Secure storage of materials related to social media campaigns (images, videos, etc.) in restricted areas.

PARTICIPATION REQUEST MANAGEMENT - PARTNER WITH US Legal bases (Art. 6.1.a GDPR) Consent of the data subject; (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract; (Art. 6.1.f GDPR) Legitimate interest of the Controller or third parties Purposes Manage requests to collaborate as partners or exhibitors at the event; Inform companies about stand types, rates, and available services to participate in South Summit; Offer personalized attention and resolve doubts related to event participation; Register and follow up on received inquiries to convert them into commercial agreements; CATEGORIES OF DATA SUBJECTS: Natural persons acting on behalf of companies, universities, public or private entities, startups, innovation hubs, commercial delegations, corporations, or investment funds interested in establishing collaborations or agreements with South Summit. DATA CATEGORIES: Identification data (name, surname, professional email, phone); Professional data (represented company or organization, headquarters, position, area of work, sector of activity); Commercial or relationship data (reason for interest in being a partner, editions of interest: Madrid/Brazil/Korea, comments or free information); Optional consent (acceptance to receive commercial communications); Minimum technical data (IP address and submission metadata: date, time, browser). ORIGIN: Directly from the data subject through voluntary completion of the "Partner with Us" web form hosted on southsummit.io. Data categories and collectives Representatives of organizations interested in collaborating with South Summit (Identification data; Employment details; Other categories) Data origin The data subject themselves or their legal representative; Private entity; Web contact or collaboration forms (e.g., "Partner with Us", "Get Your Stand"), emails sent to corporate addresses published on the web (info@, partners@, startups@), fairs, conferences, or networking activities where professional contact data is collected. Category of recipients Not foreseen International transfer Not foreseen Retention period Data will be retained for the duration of the application evaluation and the pre-contractual relationship. If no collaboration is formalized, it will be kept blocked for 2 years for future opportunity tracking or compliance with legal obligations. Data processed based on consent for communications will be retained as long as the data subject does not withdraw such consent. Security measures Encrypted transmission (HTTPS/TLS 1.3). Forms protected by server authentication and captcha. Role-based access control in CRM and activity logging. Encryption at rest of databases and backups. Periodic vulnerability review and penetration testing. Log registration and submission traceability. MANAGEMENT OF REGISTERED USERS OF THE COMPETITION PLATFORM (STARTUPS / CALLS) Legal bases (Art. 6.1.a GDPR) Consent of the data subject; (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract; (Art. 6.1.f GDPR) Legitimate interest of the Controller or third parties. Purposes Profile analysis; Facilitate registration and access for startups, partners, and investors to the Startup Competition platform; Manage startup registration in the competition and associated services; Offer technical support to users and resolve incidents during the registration and evaluation process; Allow contact between competition participants and South Summit partners to generate business opportunities; Promote user participation in future events and competitions organized by South Summit; ORIGIN: Data provided by users themselves when registering on the competition.southsummit.io platform or by direct submission to the South Summit team. No data is obtained from external sources. COLLECTIVES: Registered startups, South Summit partners, registered investors, Startup Competition participants. DATA CATEGORIES: Identification data (name, company, position, country), Contact (email, phone), Professional (pitch deck, project description, startup information, sector of activity), Location data (city, country). Data categories and collectives Registered competition users (Identification data) Data origin The data subject themselves or their legal representative Category of recipients Data processors: No transfers in the strict sense are made, but data is shared with data processors that provide services to South Summit: - Hosting and cloud storage providers for the competition.southsummit.io platform - Email marketing and communication tools with participants - Technical support and platform maintenance providers International transfers: Data may be hosted on servers located outside the European Economic Area (EEA), always under adequate safeguards such as standard contractual clauses approved by the European Commission or equivalent mechanisms. International transfer Not foreseen Retention period 2 years Security measures

• Encryption of data in transit (HTTPS) and at rest (AES-256) to protect personal information
• Implementation of multi-factor authentication (MFA) for access to the registered user management platform
• Monitoring and logging of activities on the platform to detect improper access or security incidents
• Regular backups and storage on servers with security certifications (ISO 27001)
• Limitation of access to sensitive data through role-based permissions
• Restricted access control policies, ensuring that only authorized personnel access registered data
• Periodic audits of data processing to ensure compliance with regulations and prevent improper access
• Continuous training for personnel on proper personal data management and legal obligations under the GDPR
• Use of a consent management system to verify and store explicit user authorizations

VOLUNTEER MANAGEMENT Legal bases Explicit consent of the data subject Purposes Support in accreditation, logistics, and venue access; Assign tasks and schedules to volunteers during the event; Support startups, speakers, and investors within the Marketplace and in meetings; Facilitate communication with volunteers before, during, and after the event for organizational matters; Ensure occupational risk prevention for volunteers during their collaboration in the event; Provide information to visitors and coordinate flows within the venue Data categories and collectives Volunteers (Identification data; Personal characteristics) Data origin The data subject themselves or their legal representative Category of recipients Social Security bodies International transfer Not foreseen Retention period For a period of 5 years from the last confirmation of interest. Data will be processed and retained as long as necessary for the purposes foreseen in event management. After 5 years from the volunteer's last interaction or collaboration, data will be securely deleted, unless there is a legal obligation for its retention. Security measures

• Organizational:
• Creation of specific internal policies for volunteer data management, limiting access only to authorized personnel.
• Obtaining explicit consents during the volunteer registration process, detailing the specific purposes of their data processing.
• Signing confidentiality agreements by volunteers in case of access to sensitive event information (startups, investors, etc.).
• Training for the management team and volunteers on data protection regulations and their responsibilities during the event.

Technical:

• Use of secure systems for volunteer data management, including digital platforms with multi-factor authentication and encryption (AES-256).
• Encryption of data in transit (HTTPS) to protect information during exchange between systems.
• Logging and auditing of access to the volunteer management system to ensure traceability.
• Regular backups of data, stored on ISO 27001 certified servers.

Physical:

• Storage of physical documents (such as signed agreements) in restricted access areas. Control of access to devices and spaces where volunteer personal data is managed.
• Secure deletion of physical documents, through certified shredding, once processing purposes are met.

EVALUATION JURY MANAGEMENT - STARTUP COMPETITION Legal bases (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract; (Art. 6.1.a GDPR) Consent of the data subject Purposes Send invitations and coordinate the participation of jury members, indicating dates and sessions; Manage jury registration requests received through the "Become a Jury" form; Maintain communication with jury members to inform them about competition-related activities; Organize and facilitate the evaluation of the 100 selected startups through the South Summit platform; Organize and facilitate the evaluation of the 100 selected startups through the South Summit platform Data categories and collectives Jury (Identification data; Other categories; Employment details) Data origin The data subject themselves or their legal representative; Private entity Category of recipients Not foreseen International transfer Not foreseen Retention period As long as the commercial relationship is maintained. Personal data of jury members will be processed as long as there is a contractual or collaboration relationship with South Summit. After the relationship ends, data will be blocked and retained for a minimum period of 6 years in accordance with the Commercial Code and tax regulations. Data related to evaluations will be anonymized once organizational and legal purposes are met. Security measures Organizational:

• Internal procedures to ensure that only authorized personnel access information about jury members and evaluated startups.
• Signing confidentiality agreements by jury members to protect information about evaluated projects.
• Training for personnel responsible for jury management on GDPR compliance and data processing obligations.
• Logging and documentation of activities related to jury data processing, including invitations and evaluations.

Technical:

• Use of secure and certified platforms for managing evaluations and personal data of jury members.
• Encryption of data in transit (HTTPS) and at rest (AES-256).
• Implementation of multi-factor authentication for access to the project evaluation platform.
• Monitoring and logging of access and activities performed on the platform to ensure traceability.
• Daily backups of stored information, with rapid recovery in case of incidents.

Physical:

• Storage of any physical documents related to the jury in restricted access areas.
• Use of access control systems in spaces where jury and evaluated startup data is managed.
• Secure deletion of physical documents through certified shredding.

INTEGRATED AGENDA AND CALENDAR MANAGEMENT - SOUTH SUMMIT Legal bases Explicit consent of the data subject (GDPR: 6.1.a) Consent of the data subject. ); Existence of a contractual relationship with the data subject through a contract or pre-contract; Legitimate interest of the Controller or third parties (GDPR: 6.1.e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller Purposes Appointment and agenda control; Coordination and reminder of scheduled meetings within South Summit; Generation of personalized calendars based on user preferences and profile; Management of personalized agendas for event participants; Organization of appointments and meetings between attendees, investors, startups, and exhibitors; Planning of selected activities in the event program Data categories and collectives People who access and contact via the web (Identification data). Clients (Identification data). Employees (Identification data) Data origin The data subject themselves or their legal representative; People who contact us from web forms such as Become an Ambassador, Suggest a Speaker, Suggest Ideas, and Contact Us Category of recipients Group entities; Agenda data may be shared with third parties (such as other attendees with whom the user agrees to meetings) with the explicit consent of the data subject. Technology providers responsible for maintaining the agenda management platform, always under agreements that guarantee GDPR compliance. International transfer Not foreseen Retention period As long as its erasure is not requested by the data subject. Personal data will be retained for the duration of the event and a maximum period of 2 years to maintain the commercial relationship with the data subject, unless its erasure is requested earlier or there is a legal obligation to retain it. Security measures Organizational:

• Definition and application of role-based access policies to ensure that only authorized users access agenda data.
• Regular audits of agenda use and management to identify potential breaches or errors.
• Continuous staff training on security measures, data management, and GDPR compliance.
• Logging and documentation of all processing activities related to agenda management.

Technical

• Implementation of multi-factor authentication for access to the agenda management platform.
• End-to-end encryption of data in transit (HTTPS) and at rest (AES256).
• Use of cloud servers with updated security certificates and compliance with standards such as ISO 27001.
• Constant monitoring of access and activities in the system to detect potential misuse.
• Automatic backups to ensure information recovery in case of incidents.

Physical:

• Physical access control in data centers hosting servers, including 24/7 surveillance, alarm systems, and biometric authentication
• "Clean desk" policies and secure deletion of physical documents related to event planning.

INTEGRATED ATTENDEE AND TICKET SALES MANAGEMENT (INCLUDES WAITING LIST / PRE-SALE) Legal bases (Art. 6.1.a GDPR) Consent of the data subject; (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract; (Art. 6.1.c GDPR) Compliance with legal obligations of the Controller Purposes Control event access using digital systems (QR codes or equivalents); Comply with legal and tax obligations associated with ticket sales; Send operational information about the event (location, schedules, updates); Facilitate event participation statistics to improve future editions; Manage ticket purchases through the South Summit website; Manage waiting lists and pre-sales to inform about the opening of future editions or promotions; Process and respond to requests for special passes such as the Investor Pass or the Press Pass; Origin of data: The data subject themselves when registering on the sales platform or on the waiting list / pre-sale of the southsummit.io domain or associated subdomains (e.g., presale.southsummit.io). They may also come from integrations with payment gateways or accreditation systems (Stripe, Paycomet, Eventbrite). Affected collectives: Attendees and ticket buyers. Users registered on Waiting List / Pre-sale. Applicants for special passes (investors, press, speakers). Data categories: Basic / Identification: Name and surname, email, phone (optional), company / organization, country / city. Professional data: Professional area ("I Work in") declared in waiting list or registration forms. Transactional / access data: Ticket type, QR code, validation date and time, billing and payment data (through the gateway), technical logs (IP, browser, validations). Data categories and collectives Speaker and presenters (Identification data). South Summit attendees or other events (Identification data; Economic, financial, and insurance; Credit information; Personal characteristics; Employment details) Data origin The data subject themselves or their legal representative; Private entity; From the "Become a Speaker" form on the website; Event attendees such as Speakers, Partners, Investors, Presenters, or Startup Members Category of recipients Banks, savings banks, and rural savings banks; Recipients: No data transfers to third parties are made, except for legal obligation (e.g., competent tax or judicial authorities). Data processors: Providers that offer services with access to personal data in accordance with Art. 28 GDPR contracts: - Ticket sales and management platform / ticketing. - Certified payment gateways (Stripe, Paycomet, etc.). - Access control and accreditation provider. - Cloud services and technical support associated with the southsummit.io domain. International transfers: Only if processors or sub-processors host data outside the EEA. In such cases, Standard Contractual Clauses (SCC) or the Data Privacy Framework (DPF) will be applied to ensure an adequate level of protection. IE UNIVERSITY (CIF: G40155384) International transfer Not foreseen Retention period Buyer and attendee data will be retained for 5 years after the event ends, in accordance with tax and guarantee obligations. Waiting list and pre-sale data will be retained for 1 year or until purchase or cancellation of interest. Access logs will be deleted at the end of the legal period (max. 5 years). Security measures TLS encryption in communications. PCI-DSS certified payment gateway. Restricted and authenticated access to the management panel. Physical access control via unique QR. Access logging and technical logs. Anonymization of data in statistical analyses. Annual review of providers and sub-processors. Automatic retention and blocking policy. DPO supervision. INTEGRATED EVENT MANAGEMENT - SOUTH SUMMIT APP Legal bases (Art. 6.1.a GDPR) Consent of the data subject; (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract Purposes Agenda. Calendar with South Summit events.; Sending direct messages between all event attendees.; Exhibitors. List of companies with stands, their contact details, and responsible person.; Initiation of video calls from the messages section with people with whom a conversation is open.; My Event. Events that each user has marked and meetings with other users.; My QR. QR code that allows accreditation to access the event.; Networking. List of all attendees to be able to contact them.; Speakers. Access to each Speaker's profile where you can connect with their social networks and companies.; Startup competition. List of participating companies in the competition, their contact details, and company videos. Possibility to open a direct message with the company. Data categories and collectives Registered users / South Summit App users (Identification data; Commercial information). South Summit attendees or other events (Identification data; Employment details; Commercial information) Data origin The data subject themselves or their legal representative; Event attendees such as Speakers, Partners, Investors, Presenters, or Startup Members Category of recipients Public administration with competence in the matter International transfer Not foreseen Retention period As long as the commercial relationship is maintained. Data will be retained as long as the user keeps their account active and does not request data erasure. Once the event ends, data will be deleted within a maximum of 2 years, unless there is a legal obligation to retain it. Security measures Organizational

• Access control through multi-factor authentication.
• Specific staff training on data protection.
• Periodic security audits of the application.

Technical

• Encryption of data in transit (HTTPS) and at rest.
• Pseudonymization of data to minimize risks.
• Implementation of security incident detection and response systems.

Physical

• Security of physical servers where data is hosted.

INTEGRATED SPEAKER MANAGEMENT - SOUTH SUMMIT Legal bases (Art. 6.1.a GDPR) Consent of the data subject; (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract; (Art. 22 LOPD/GDD) Processing of images from camera or video camera systems to preserve the security of people, property, and facilities; (Art. 6.1.f GDPR) Legitimate interest of the Controller or third parties Purposes Evaluate the suitability of the application; Manage communications related to the selection process; Organize the speaker's participation in the event; Publish the speaker's professional information on the event's official channels (web, agenda, dossier); Collect information from speaker candidates; ORIGIN: Data submitted via the "Apply to Speak" form, hosted on Typeform (southsummit.typeform.com). Data provided by the candidate or by a nominating third party (recommendation) is analyzed. Some data may be verified using public sources (LinkedIn, corporate websites). COLLECTIVES: Candidate speakers, selected speakers, speakers nominated by third parties. DATA CATEGORIES: Identification data (name, surname); Contact (email, phone); Professional profile (biography, company, position, links to professional networks); Location data (country/city); Professional material (videos, previous talks, portfolio). NOTE: Special categories are not requested. If the candidate spontaneously provides them, they are blocked and not used for selection. Data categories and collectives Speaker and presenters (Identification data; Employment details; Other categories) Data origin The data subject themselves or their legal representative; Private entity; From the "Become a Speaker" form on the website Category of recipients DATA PROCESSORS: Typeform S.L. (Barcelona, EU) – Platform where the form is hosted. Sub-processor: Amazon Web Services (AWS – USA) for hosting and infrastructure. RECIPIENTS: Internal speaker selection teams. Event communication and production departments. Public display of the speaker's profile only if selected and they accept its publication. NO COMMERCIAL TRANSFERS ARE MADE. INTERNATIONAL TRANSFERS: Typeform may use providers located in the United States (AWS). Safeguard mechanisms: Data Privacy Framework (DPF) when applicable, and Standard Contractual Clauses (SCC 2021/914) + documented TIA. Typeform S.L. may use sub-processors located in the USA for hosting and technical data processing. The transfer is based on SCC and/or Data Privacy Framework. International transfer Not foreseen Retention period Application data will be retained for 2 years for possible future editions, unless there is opposition or a request for erasure. Selected speaker profiles may be retained as part of the event's historical archive or until consent for their publication is revoked. Annual purging of expired applications. Immediate erasure if the candidate requests it. Temporary blocking if there are claims or incidents. Security measures Processing agreement with Typeform S.L. (Art. 28 GDPR). Review and approval of TIA for AWS. TLS encryption in data collection. Restricted access to authorized personnel. Access logging and technical logs. Periodic deletion of expired applications. Anonymization/deletion procedure if the speaker revokes consent. MANAGEMENT OF IMAGES, VIDEOS, AND AUDIOVISUAL CONTENT OF THE SOUTH SUMMIT EVENT Legal bases (Art. 6.1.a GDPR) Consent of the data subject; (Art. 6.1.b GDPR) Existence of a contractual relationship with the data subject through a contract or pre-contract; (Art. 6.1.f GDPR) Legitimate interest of the Controller or third parties Purposes Grant images and videos to accredited press and media exclusively for event news coverage; Disseminate and communicate activities carried out during South Summit through the website, social networks, and official channels.; Produce audiovisual and photographic materials for promotional, informative, or institutional purposes, including their use in future editions; Record and live stream presentations, roundtables, and interviews conducted at the event; Preserve the event's historical audiovisual archive (internal or documentary use) Data categories and collectives Speaker and presenters (Identification data). South Summit attendees or other events (Identification data) Data origin The data subject themselves or their legal representative; Private entity; From the "Become a Speaker" form on the website; Event attendees such as Speakers, Partners, Investors, Presenters, or Startup Members Category of recipients Images may be shared with media, social networks, and streaming platforms, always under the conditions of the privacy policies of those third parties. International transfer Not foreseen Retention period Images, videos, and recordings will be retained as long as they are useful for the informative and promotional purposes of the event and future editions, and may subsequently be kept in a historical audiovisual archive for documentary or institutional memory purposes. On social networks and third-party platforms, retention will be governed by the policies of those platforms. Data subjects may request the withdrawal or limitation of the use of their image at any time in accordance with Articles 17 and 18 GDPR. Security measures Organizational

• Obtaining explicit consent from attendees, speakers, and participants through visible notices in recording areas, and during online registration to participate in the event.
• Internal policies that limit access and use of images to authorized communication and marketing personnel.
• Periodic training for the responsible team on regulations applicable to recording and use of images, including GDPR and image rights.
• Documentation of agreements with photographers, videographers, and media participating in the event, ensuring compliance with data protection regulations.

Technical

• Encryption of images and videos stored in internal systems (AES-256).
• Use of secure platforms for content management and publication (social networks, servers with SSL certificates).
• Monitoring of access and activities related to image management to ensure traceability.
• Automatic backups and storage in controlled environments with ISO 27001 certification.

Physical

• Storage of any physical media (memory cards, hard drives) in secure, restricted access areas.
• Control of physical access to editing and image management areas within South Summit facilities.

11. DATA OF MINORS How do we handle data of minors? Minors under 14 years of age cannot use the services offered through our website without the prior authorization of their parents, guardians, or legal representatives. These will be solely responsible for all actions carried out through the website by the minors under their care, including the completion of online forms with the minors' personal data and, where appropriate, the selection of the corresponding checkboxes. In accordance with Article 8 of the GDPR and Article 7 of the LOPD/GDD, only individuals over 14 years of age can grant their consent for the lawful processing of their personal data by Spain Startup. 12. ORIGIN AND TYPES OF DATA PROCESSED Where have we obtained your data from? Management of Travel and Accommodation Bookings - South Summit -Ecommerce Clients: The data subject themselves or their legal representative -People who access and contact via the web: The data subject themselves or their legal representative. People who contact us from web forms such as Become an Ambassador, Suggest a Speaker, Suggest Ideas, and Contact Us -Registered users / South Summit App users: The data subject themselves or their legal representative -Representatives of organizations interested in collaborating with South Summit: The data subject themselves or their legal representative; Private entity. Web contact or collaboration forms (e.g., "Partner with Us", "Get Your Stand"), emails sent to corporate addresses published on the web (info@, partners@, startups@), fairs, conferences, or networking activities where professional contact data is collected. -South Summit attendees or other events: The data subject themselves or their legal representative. Event attendees such as Speakers, Partners, Investors, Presenters, or Startup Members -Registered competition users: The data subject themselves or their legal representative Startup Competition Evaluation Committee -Evaluation Committee: The data subject themselves or their legal representative; Private entity Cookies, pixel, and tracking -People who access and contact via the web: The data subject themselves or their legal representative. People who contact us from web forms such as Become an Ambassador, Suggest a Speaker, Suggest Ideas, and Contact Us Co-organization of the South Summit 2025 event. -Registered users / South Summit App users: The data subject themselves or their legal representative -Employees: The data subject themselves or their legal representative -Visitors: The data subject themselves or their legal representative -Volunteers: The data subject themselves or their legal representative -Speaker and presenters: The data subject themselves or their legal representative; Private entity. From the "Become a Speaker" form on the website -South Summit attendees or other events: The data subject themselves or their legal representative. Event attendees such as Speakers, Partners, Investors, Presenters, or Startup Members -Registered competition users: The data subject themselves or their legal representative Compliance with GDPR obligations -Clients: The data subject themselves or their legal representative -Employees: The data subject themselves or their legal representative Event Access Management - South Summit -Volunteers: The data subject themselves or their legal representative -Speaker and presenters: The data subject themselves or their legal representative; Private entity. From the "Become a Speaker" form on the website -South Summit attendees or other events: The data subject themselves or their legal representative. Event attendees such as Speakers, Partners, Investors, Presenters, or Startup Members Management of Collaborators in Events and Content Production -Registered users / South Summit App users: The data subject themselves or their legal representative -Clients: The data subject themselves or their legal representative -Employees: The data subject themselves or their legal representative -Speaker and presenters: The data subject themselves or their legal representative; Private entity. From the "Become a Speaker" form on the website -South Summit attendees or other events: The data subject themselves or their legal representative. Event attendees such as Speakers, Partners, Investors, Presenters, or Startup Members -Registered competition users: The data subject themselves or their legal representative Communications and Newsletters Management – South Summit -South Summit informative and newsletter community: The data subject themselves or their legal representative. Data is collected directly when the data subject enters their email address in the subscription forms on the official South Summit website (https://www.southsummit.io), associated subdomains, or in in-person and digital actions managed by the organization. Subscription requires express consent through an opt-in system (double email verification). Website Query Management - South Summit -People who access and contact via the web: The data subject themselves or their legal representative. People who contact us from web forms such as Become an Ambassador, Suggest a Speaker, Suggest Ideas, and Contact Us Management of participants and collaborating companies – South Summit -Clients: The data subject themselves or their legal representative Social Media Management - South Summit -Followers: The data subject themselves or their legal representative Participation Request Management - Partner with Us -Representatives of organizations interested in collaborating with South Summit: The data subject themselves or their legal representative; Private entity. Web contact or collaboration forms (e.g., "Partner with Us", "Get Your Stand"), emails sent to corporate addresses published on the web (info@, partners@, startups@), fairs, conferences, or networking activities where professional contact data is collected. Management of registered users of the competition platform (Startups / Calls) -Registered competition users: The data subject themselves or their legal representative Video Surveillance Management in Offices and Event Facilities -Employees: The data subject themselves or their legal representative -Visitors: The data subject themselves or their legal representative Volunteer Management -Volunteers: The data subject themselves or their legal representative Evaluation Jury Management - Startup Competition -Jury: The data subject themselves or their legal representative; Private entity Integrated Agenda and Calendar Management - South Summit -People who access and contact via the web: The data subject themselves or their legal representative. People who contact us from web forms such as Become an Ambassador, Suggest a Speaker, Suggest Ideas, and Contact Us -Clients: The data subject themselves or their legal representative -Employees: The data subject themselves or their legal representative Integrated attendee and ticket sales management (includes waiting list / pre-sale) -Speaker and presenters: The data subject themselves or their legal representative; Private entity. From the "Become a Speaker" form on the website -South Summit attendees or other events: The data subject themselves or their legal representative. Event attendees such as Speakers, Partners, Investors, Presenters, or Startup Members Integrated Event Management - South Summit App -Registered users / South Summit App users: The data subject themselves or their legal representative -South Summit attendees or other events: The data subject themselves or their legal representative. Event attendees such as Speakers, Partners, Investors, Presenters, or Startup Members Integrated Speaker Management - South Summit -Speaker and presenters: The data subject themselves or their legal representative; Private entity. From the "Become a Speaker" form on the website Management of images, videos, and audiovisual content of the South Summit event -Speaker and presenters: The data subject themselves or their legal representative; Private entity. From the "Become a Speaker" form on the website -South Summit attendees or other events: The data subject themselves or their legal representative. Event attendees such as Speakers, Partners, Investors, Presenters, or Startup Members Management of Data Exchange at Events via QR Codes in the South Summit Application -South Summit attendees or other events: The data subject themselves or their legal representative. Event attendees such as Speakers, Partners, Investors, Presenters, or Startup Members WHAT TYPES OF YOUR DATA HAVE WE COLLECTED AND PROCESSED? Management of Travel and Accommodation Bookings - South Summit -Ecommerce Clients: Identification data (Email address; Postal address; NIF / NIE / Passport; Name and surname; Phone) -People who access and contact via the web: Identification data (Email address; Name and surname; Phone) -Registered users / South Summit App users: Identification data (Email address; Name and surname; Phone) -Representatives of organizations interested in collaborating with South Summit: Identification data (Email address; Postal address; NIF / NIE / Passport; Name and surname; Phone) -South Summit attendees or other events: Identification data (Name and surname; Phone; DNI / NIF / NIE / Passport) | Employment details (Company or organization where they work) -Registered competition users: Identification data (Email address; Postal address; Username) Startup Competition Evaluation Committee -Evaluation Committee: Identification data (Email address; Name and surname; Phone) | Other categories (Contact details (relationship, position, company where they work, email)) Cookies, pixel, and tracking -People who access and contact via the web: Commercial information (Data obtained through cookies, pixels, or similar instruments, if applicable.) | Other categories (ID generated by the Pixel or Cookie) Co-organization of the South Summit event -Registered users / South Summit App users: Identification data (Email address; Image; Name and surname; Phone; Social media profile LinkedIn, Twitter, Instagram, and Facebook.) | Commercial information (Activities and businesses; Artistic, literary, scientific, or technical creations; Confidential and/or copyrighted data and/or images; Subscriptions to publications or media; Data obtained through cookies, pixels, or similar instruments, if applicable.; Shipping address; Direct messages from the South Summit App.; Video calls from the South Summit App.) -Employees: Identification data (Email address) -Visitors: Identification data (Image) -Volunteers: Identification data (Email address; Postal address; NIF / NIE / Passport; Social Security Number / Mutual Fund; Name and surname; Phone) | Personal characteristics (Age; Nationality; Gender) -Speaker and presenters: Identification data (Email address; Image; Name and surname; Voice; Country; LinkedIn social media profile) | Employment details (Job positions; Company or organization where they work) | Other categories (Message) -South Summit attendees or other events: Identification data (Image; Name and surname; Phone; DNI / NIF / NIE / Passport; Social media profile LinkedIn, Twitter, Instagram, and Facebook.; Email) | Personal characteristics (Date of birth; Gender) | Employment details (Company or organization where they work) | Economic, financial, and insurance (PayPal) | Commercial information (Direct messages from the South Summit App.; Video calls from the South Summit App.) | Credit information (Bank card data, debit or credit.) -Registered competition users: Identification data (Email address; Postal address; Phone; Username; Company identification number / CIF; Contact details of legal representatives of the company) Compliance with GDPR obligations -Clients: Identification data (Name and surname; Postal address; NIF / NIE / Passport; Email address; Phone) -Employees: Identification data (Name and surname; Postal address; NIF / NIE / Passport; Email address; Fingerprint; Phone) | Employment details (Job positions) Event Access Management - South Summit -Volunteers: Identification data (Email address; NIF / NIE / Passport; Name and surname) -Speaker and presenters: Identification data (Email address; Image; Name and surname) -South Summit attendees or other events: Identification data (Image; Name and surname; DNI / NIF / NIE / Passport) Management of Collaborators in Events and Content Production -Registered users / South Summit App users: Identification data (Email address; Image; Name and surname; Phone; Social media profile LinkedIn, Twitter, Instagram, and Facebook.) -Clients: Identification data (Email address; Postal address; NIF / NIE / Passport; Name and surname; Phone; Country) -Employees: Identification data (Email address; Postal address; Handwritten signature; Name and surname; Phone) -Speaker and presenters: Identification data (Email address; Image; Name and surname; Voice; Country; LinkedIn social media profile) -South Summit attendees or other events: Identification data (Image; Name and surname; Phone; DNI / NIF / NIE / Passport; Social media profile LinkedIn, Twitter, Instagram, and Facebook.; Email) | Personal characteristics (Date of birth; Gender) | Employment details (Company or organization where they work) | Economic, financial, and insurance (PayPal) Commercial information (Direct messages from the South Summit App.; Video calls from the South Summit App.) | Credit information (Bank card data, debit or credit.) -Registered competition users: Identification data (Email address; Postal address; Phone; Username; Company identification number / CIF; Contact details of legal representatives of the company) Communications and Newsletters Management – South Summit -South Summit informative and newsletter community: Identification data (Name and surname; Email address; Phone) Website Query Management - South Summit -People who access and contact via the web: Identification data (Name and surname; Email address; Phone; Country) | Employment details (Job positions; Company or organization where they work) | Other categories (Message) Management of participants and collaborating companies – South Summit -Clients: Identification data (Name and surname; Postal address; Email address; Phone) Social Media Management - South Summit Followers: Identification data (Name and surname; Email address) Participation Request Management - Partner with Us -Representatives of organizations interested in collaborating with South Summit: Identification data (Name and surname; Phone; Country; Email address; Postal address; NIF / NIE / Passport) | Employment details (Company or organization where they work) | Other categories (Message; Contact details (relationship, position, company where they work, email)) Management of registered users of the competition platform (Startups / Calls) -Registered competition users: Identification data (Email address; Postal address; Phone; Username; Company identification number / CIF; Contact details of legal representatives of the company) Video Surveillance Management in Offices and Event Facilities -Employees: Identification data (Image) -Visitors: Identification data (Image) Volunteer Management -Volunteers: Identification data (Email address; Postal address; NIF / NIE / Passport; Social Security Number / Mutual Fund; Name and surname; Phone) | Personal characteristics (Age; Nationality; Gender) Evaluation Jury Management - Startup Competition -Jury: Identification data (Email address; Name and surname; Phone; Country) | Other categories (Contact details (relationship, position, company where they work, email)) | Employment details (Job positions; Company or organization where they work) Integrated Agenda and Calendar Management - South Summit -People who access and contact via the web: Identification data (Name and surname; Email address; Phone) -Clients: Identification data (Name and surname; Email address; Phone) -Employees: Identification data (Name and surname; Postal address; Phone) Integrated attendee and ticket sales management (includes waiting list / pre-sale) -Speaker and presenters: Identification data (Email address; Image; Name and surname; Voice) -South Summit attendees or other events: Identification data (Name and surname; Image; Phone; DNI / NIF / NIE / Passport) | Economic, financial, and insurance (PayPal) | Credit information (Bank card data, debit or credit.) | Personal characteristics (Date of birth; Gender) | Employment details (Company or organization where they work) Integrated Event Management - South Summit App -Registered users / South Summit App users: Identification data (Email address; Image; Name and surname; Phone; Social media profile LinkedIn, Twitter, Instagram, and Facebook.) | Commercial information (Activities and businesses; Direct messages from the South Summit App.; Video calls from the South Summit App.) -South Summit attendees or other events: Identification data (Name and surname; Image; Social media profile LinkedIn, Twitter, Instagram, and Facebook.) | Employment details (Company or organization where they work) | Commercial information (Direct messages from the South Summit App.; Video calls from the South Summit App.) Integrated Speaker Management - South Summit -Speaker and presenters: Identification data (Email address; Name and surname; Country; LinkedIn social media profile) | Employment details (Job positions; Company or organization where they work) | Other categories (Message) Management of images, videos, and audiovisual content of the South Summit event -Speaker and presenters: Identification data (Image) -South Summit attendees or other events Identification data (Image) Management of Data Exchange at Events via QR Codes in the South Summit Application -South Summit attendees or other events: Identification data (Image; Name and surname; Phone; DNI / NIF / NIE / Passport; Social media profile LinkedIn, Twitter, Instagram, and Facebook.; Email) | Commercial information (Direct messages from the South Summit App.; Video calls from the South Summit App.) 13. RIGHTS OF DATA SUBJECTS What are your rights regarding your data? Data protection regulations grant you specific rights that you can exercise in relation to the processing of your data. These rights are personal and non-transferable, meaning that only you, as the data subject, can exercise them after verifying your identity. Your rights are described below: Right of access: You can request confirmation of whether Spain Startup is processing your data and access information related to its processing. Right to rectification: If your personal data is inaccurate or incomplete, you can request its correction. Right to erasure ("right to be forgotten"): You can request the deletion of your data when it is no longer necessary for the purposes for which it was collected, or if you withdraw your consent. Right to restriction of processing: You can request the restriction of the processing of your data, for example, while its accuracy is being verified or in other cases provided by law. Right to data portability: You have the right to receive your data in a structured, commonly used, and machine-readable format, and to transmit it to another controller. Right to object: You can object to the processing of your data for reasons related to your particular situation, or when the processing is based on a legitimate interest. Right not to be subject to automated individual decision-making: You can request not to be subject to decisions based solely on automated processing of your data, including profiling. Right to withdraw consent: You can withdraw your consent at any time, without affecting the lawfulness of processing based on consent given before its withdrawal. Right to lodge a complaint: If you believe your rights have not been respected, you can lodge a complaint with the relevant supervisory authority: Spanish Data Protection Agency info@aepd.es https://www.aepd.es To exercise any of these rights, you can contact Spain Startup using the following contact information: Controller: Spain Startup and Investor Services S.L Address: Paseo de la Castellana Nº 70, first floor. 28046, Madrid (Madrid), Spain Phone: +34 915625784 Email: privacy@southsummit.io Website: http://www.southsummit.io You can also exercise your rights before the Data Protection Officer: Email: rgpd@auratechlegal.es - Phone: 0034 911 134 963 How can you exercise your rights regarding your data? To exercise your rights of access, rectification, erasure, restriction or objection, portability, and withdrawal of your consent, you can do so by sending an email to these addresses: rgpd@auratechlegal.es / privacy@southsummit.io or by postal mail to: Paseo de la Castellana Nº 70, first floor. 28046, Madrid (Madrid), Spain. How can you lodge a complaint if you believe your rights are not being respected? If you believe that the processing of your personal data does not comply with data protection regulations, you have the right to lodge a complaint with the corresponding Supervisory Authority in your country of residence or place of activity. Depending on your location, you can contact the competent authority in your country. For example: -In Germany, you can contact the Berliner Beauftragte für Datenschutz und Informationsfreiheit. -In France, the competent authority is the Commission Nationale de l’Informatique et des Libertés (CNIL). The specific contact details for Spain are as follows: Spanish Data Protection Agency C/. Jorge Juan, 6. 28001, Madrid (Madrid), Spain Email: info@aepd.es Phone: 900293183 Web: https://www.aepd.es If you are unsure which authority applies to you or need information about other supervisory authorities, you can consult the article on Data Protection Supervisory Authorities, where you will find contact details and links according to your location. 14. MODIFICATION AND PRINCIPLE OF INFORMATION This document ensures that you understand how we process your personal data. By using our website or services, you confirm that you have been informed about the terms of our Privacy Policy, in accordance with the principle of information established in Article 13 of the GDPR. The legal bases for processing your personal data are set out in Article 6 of the GDPR, and may include the performance of a contract, compliance with legal obligations, or legitimate interest, among others. This policy has been prepared in collaboration with Auratech Legal, a law firm specializing in data protection, and will be reviewed periodically to ensure its adequacy and compliance. Spain Startup reserves the right to modify this Privacy Policy based on legislative changes, jurisprudence, or guidelines from supervisory authorities. Any relevant modification affecting the purposes of processing, retention periods, or user rights will be explicitly communicated. Last updated: December 10, 2025